Edit tour

Windows Analysis Report
2T10XBqS6g.exe

Overview

General Information

Sample name:	2T10XBqS6g.exe renamed because original name is a hash value
Original sample name:	5266c53649caa9edea2f4ab58d58f511.bat
Analysis ID:	1590600
MD5:	5266c53649caa9edea2f4ab58d58f511
SHA1:	cc4dea13bd65697ef12e10cc404fbebca42f48ee
SHA256:	70c1d9f480bba58360e42af222d4c1a3ff7dc5d0f2a6d96b1650dc6076027d52
Infos:

Detection

GuLoader

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected non-DNS traffic on DNS port

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Sigma detected: Execution of Suspicious File Type Extension

Spawns drivers

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w11x64_office

2T10XBqS6g.exe (PID: 1032 cmdline: "C:\Users\user\Desktop\2T10XBqS6g.exe" MD5: 5266C53649CAA9EDEA2F4AB58D58F511)

SystemSettingsBroker.exe (PID: 2868 cmdline: C:\Windows\System32\SystemSettingsBroker.exe -Embedding MD5: 899E65893CDEE7F9022DC9B583F94F0F)

rassstp.sys (PID: 4 cmdline: MD5: 6931A955F0697B3A675E3F1B1B058D96)

ndproxy.sys (PID: 4 cmdline: MD5: 8236B9B87FCB51A225A5B69A23C6DCBA)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000002.00000002.3824728797.0000000003120000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

Sigma detected: Execution of Suspicious File Type Extension

Source: Process started

Author: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\rassstp.sys, NewProcessName: C:\Windows\System32\drivers\rassstp.sys, OriginalFileName: C:\Windows\System32\drivers\rassstp.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: rassstp.sys

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: 2T10XBqS6g.exe	Virustotal: Detection: 33%			Perma Link
Source: 2T10XBqS6g.exe	ReversingLabs: Detection: 31%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 97.3% probability

Source: 2T10XBqS6g.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 2T10XBqS6g.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Code function: 2_2_004069DF FindFirstFileW,FindClose,	2_2_004069DF
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Code function: 2_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	2_2_00405D8E
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Code function: 2_2_00402910 FindFirstFileW,	2_2_00402910

Source: global traffic

TCP traffic: 192.168.2.25:61352 -> 1.1.1.1:53

Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1

Source: 2T10XBqS6g.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

Code function: 2_2_00405846 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

2_2_00405846

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

Code function: 2_2_00403645 EntryPoint,LdrInitializeThunk,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,LdrInitializeThunk,LdrInitializeThunk,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,LdrInitializeThunk,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,LdrInitializeThunk,wsprintfW,GetFileAttributesW,DeleteFileW,LdrInitializeThunk,SetCurrentDirectoryW,LdrInitializeThunk,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,LdrInitializeThunk,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,LdrInitializeThunk,ExitWindowsEx,ExitProcess,

2_2_00403645

Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Code function: 2_2_00406DA0		2_2_00406DA0
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Code function: 2_2_6E1D1BFF		2_2_6E1D1BFF

Source: unknown

Driver loaded: C:\Windows\System32\drivers\rassstp.sys

Source: 2T10XBqS6g.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.troj.evad.winEXE@2/8@0/0

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

2_2_00403645

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

Code function: 2_2_00404AF2 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,LdrInitializeThunk,GetDiskFreeSpaceW,MulDiv,LdrInitializeThunk,SetDlgItemTextW,

2_2_00404AF2

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

Code function: 2_2_004021AF LdrInitializeThunk,LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,

2_2_004021AF

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

File created: C:\Users\user\eftermodnendes

Jump to behavior

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

File created: C:\Users\user\AppData\Local\Temp\nsxB253.tmp

Jump to behavior

Source: 2T10XBqS6g.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 2T10XBqS6g.exe	Virustotal: Detection: 33%
Source: 2T10XBqS6g.exe	ReversingLabs: Detection: 31%

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

File read: C:\Users\user\Desktop\2T10XBqS6g.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\2T10XBqS6g.exe "C:\Users\user\Desktop\2T10XBqS6g.exe"
Source: unknown	Process created: C:\Windows\System32\SystemSettingsBroker.exe C:\Windows\System32\SystemSettingsBroker.exe -Embedding

Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: systemsettings.datamodel.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: audiohandlers.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: mmdevapi.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: uvcmodel.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: audioses.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: devobj.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: cfgmgr32.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: capabilityaccessmanagerclient.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: settingshandlers_display.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: deviceassociation.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: settingshandlers_accessibility.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.cloudstore.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.media.devices.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.internal.accessibility.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.internal.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: usermgrcli.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: settingshandlers_sharedexperiences_rome.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.devices.radios.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: appextension.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: mrmcorer.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.ui.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.cloudstore.schema.shell.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: cdp.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: languageoverlayutil.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: settingshandlers_devices.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: wincorlib.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: bcp47mrm.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.staterepositorycore.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: deviceflows.datamodel.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: threadpoolwinrt.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: devdispitemprovider.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: devicedisplaystatusmanager.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: fundisc.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: fddevquery.dll	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Section loaded: windows.graphics.dll	Jump to behavior

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

File written: C:\Users\user\AppData\Local\Temp\Setup.ini

Jump to behavior

Source: 2T10XBqS6g.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000002.00000002.3824728797.0000000003120000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

Code function: 2_2_6E1D1BFF LdrInitializeThunk,GlobalAlloc,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,lstrcpyW,GlobalFree,LdrInitializeThunk,GlobalFree,GlobalFree,GlobalFree,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,GlobalFree,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,lstrcpyW,LdrInitializeThunk,LdrInitializeThunk,GetModuleHandleW,LdrInitializeThunk,LoadLibraryW,GetProcAddress,lstrlenW,

2_2_6E1D1BFF

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

Code function: 2_2_6E1D30C0 push eax; ret

2_2_6E1D30EE

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

File created: C:\Users\user\AppData\Local\Temp\nsnB301.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\SystemSettingsBroker.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

RDTSC instruction interceptor: First address: 33BA302 second address: 33BA302 instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007FBE484EC09Fh 0x00000006 cmp ax, cx 0x00000009 test ah, ah 0x0000000b inc ebp 0x0000000c inc ebx 0x0000000d test edx, 139251E6h 0x00000013 rdtsc

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsnB301.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Code function: 2_2_004069DF FindFirstFileW,FindClose,	2_2_004069DF
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Code function: 2_2_00405D8E CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,LdrInitializeThunk,FindNextFileW,FindClose,	2_2_00405D8E
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	Code function: 2_2_00402910 FindFirstFileW,	2_2_00402910

Source: SystemSettingsBroker.exe, 00000025.00000002.3823013903.000001C34B483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 2VMware Virtual USB Mouse
Source: SystemSettingsBroker.exe, 00000025.00000003.3137711419.000001C34D782000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SystemSettingsBroker.exe, 00000025.00000003.3137711419.000001C34D782000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware Virtual disk SCSI Disk DeviceB)xM
Source: SystemSettingsBroker.exe, 00000025.00000003.3137655326.000001C34D73F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: BBSCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SystemSettingsBroker.exe, 00000025.00000003.3137655326.000001C34D73F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 4NECVMWar VMware SATA CD00
Source: SystemSettingsBroker.exe, 00000025.00000003.3137711419.000001C34D782000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: NECVMWar VMware SATA CD00\'xM
Source: SystemSettingsBroker.exe, 00000025.00000002.3824259437.000001C34D73D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ..SWD\COMPUTER\MFG_VMware__Inc.&PROD_VMware20_1
Source: SystemSettingsBroker.exe, 00000025.00000002.3824259437.000001C34D73D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wvid.inf,%vid.devicedesc%;Microsoft Hyper-V Virtualization Infrastructure Driverp
Source: SystemSettingsBroker.exe, 00000025.00000002.3824146405.000001C34D731000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Drivertion Infrastructure Driver
Source: SystemSettingsBroker.exe, 00000025.00000002.3823013903.000001C34B483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware, Inc. VMware20,1
Source: SystemSettingsBroker.exe, 00000025.00000002.3824259437.000001C34D73D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wgencounter.inf,%gencounter.devicedesc%;Microsoft Hyper-V Generation Counter
Source: SystemSettingsBroker.exe, 00000025.00000003.3137655326.000001C34D73F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: v@oem1.inf,%loc.vmwarebusdevicedesc%;VMware VMCI Bus Devicep
Source: SystemSettingsBroker.exe, 00000025.00000002.3823013903.000001C34B483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMware VMCI Bus Devicesdevicedesc%;VMware VMCI Bus Device
Source: SystemSettingsBroker.exe, 00000025.00000002.3824259437.000001C34D73D000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: 0VMware, Inc. VMware20,1
Source: SystemSettingsBroker.exe, 00000025.00000003.3137711419.000001C34D782000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
Source: SystemSettingsBroker.exe, 00000025.00000002.3824146405.000001C34D731000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Microsoft Hyper-V Generation Countersc%;Microsoft Hyper-V Generation Counter\|
Source: SystemSettingsBroker.exe, 00000025.00000002.3824146405.000001C34D731000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: @wgencounter.infgencounter.devicedescMicrosoft Hyper-V Generation Counterwgencounter.inf1-2702878673-795188819-444038987-2781)S:(ML;;NX;;;LW)
Source: SystemSettingsBroker.exe, 00000025.00000003.3137655326.000001C34D73F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ;;SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
Source: SystemSettingsBroker.exe, 00000025.00000003.3137655326.000001C34D73F000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JVMware Virtual disk SCSI Disk Device
Source: SystemSettingsBroker.exe, 00000025.00000002.3823013903.000001C34B483000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: SWD\COMPUTER\MFG_VMware__Inc.&PROD_VMware20_1

Source: C:\Users\user\Desktop\2T10XBqS6g.exe	API call chain: ExitProcess graph end node			graph_2-4393
Source: C:\Users\user\Desktop\2T10XBqS6g.exe	API call chain: ExitProcess graph end node			graph_2-4396

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

2_2_00403645

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

2_2_6E1D1BFF

Source: C:\Users\user\Desktop\2T10XBqS6g.exe

2_2_00403645

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 LSASS Driver	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Side-Loading	1 Process Injection	1 Access Token Manipulation	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 LSASS Driver	1 Process Injection	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
2T10XBqS6g.exe	33%	Virustotal		Browse
2T10XBqS6g.exe	32%	ReversingLabs	Win32.Trojan.Guloader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsnB301.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsnB301.tmp\System.dll	3%	Virustotal		Browse

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	2T10XBqS6g.exe	false		high

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1590600
Start date and time:	2025-01-14 10:55:56 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09
Run name:	Potential for more IOCs and behavior
Number of analysed new started processes analysed:	40
Number of new started drivers analysed:	2
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	2T10XBqS6g.exe renamed because original name is a hash value
Original Sample Name:	5266c53649caa9edea2f4ab58d58f511.bat
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@2/8@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 99% Number of executed functions: 47 Number of non-executed functions: 33
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, SecurityHealthHost.exe, dllhost.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, appidcertstorecheck.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 23.51.58.94, 52.149.20.212, 40.126.31.71
Excluded domains from analysis (whitelisted): assets.msn.com, client.wns.windows.com, fs.microsoft.com, slscr.update.microsoft.com, otelrules.svc.static.microsoft, login.live.com, browser.events.data.msn.cn, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsnB301.tmp\System.dll	ZAMOWIEN.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse
	https://github.com/Ultimaker/Cura/releases/download/5.9.0/UltiMaker-Cura-5.9.0-win64-X64.exe	Get hash	malicious	Unknown	Browse
	RFQ_BDS636011.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Quotation.exe	Get hash	malicious	FormBook, GuLoader	Browse
	CERTIFICADO TITULARIDAD.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe	Get hash	malicious	GuLoader	Browse
	D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Setup.ini

Download File

Process:	C:\Users\user\Desktop\2T10XBqS6g.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	25
Entropy (8bit):	4.0536606896881855
Encrypted:	false
SSDEEP:	3:8+dB4WYiTNvn:8AbYiTNvn
MD5:	08CA75DA54EB4810D18796C97F510A55
SHA1:	3D9B020193D16E7D0F5392EF7693A6C5C6D2531D
SHA-256:	E628D2EE9FE054256B42FFDEC449254437949DEB45B13354D515579CE3E0618E
SHA-512:	46D71D69FDCBF9069E74C1176080637A1356E747FA1A1C852172CF0BB36F44ED7D741EB6DF029F333D690E500462DFC9EDEB8B4EB7BB9642C907B792F30DED9A
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Bus Clock]..Gats=Galse..

C:\Users\user\AppData\Local\Temp\nsnB264.tmp

Download File

Process:	C:\Users\user\Desktop\2T10XBqS6g.exe
File Type:	data
Category:	dropped
Size (bytes):	1155000
Entropy (8bit):	3.8859756205821308
Encrypted:	false
SSDEEP:	6144:uGCTw0AM098lISZXIUDvtA5QNQWjM3Yt+kZ+NCiyCe40DX7DBII0M1S9L76R:JCTw03L9ZXI4a2QGM3HkXkCX7xS9CR
MD5:	38A7F42F627D0CFEDB0C6AA615ED9033
SHA1:	83D88F62301313DF7684F010059F31E6DFD98F09
SHA-256:	5997C5EE4C46C86EE31FE005BD75537E30F9DFEBB101898813142C535902DA9C
SHA-512:	19829ACEEFBFA48E9EB68E22FB14602556EA577F8E21A4068FFF9E6C3D56837ADC6B5F560828DB2FFF4E9B62A585F0FA8E16BD20B452FFB02BB73EE293D8F8D2
Malicious:	false
Reputation:	low
Preview:	H.......,...................V...,...............H...........................................................................................................................................................................................................................................G...Y...........,...j...............................................................................................................................b...................W...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsnB301.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\2T10XBqS6g.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.805604762622714
Encrypted:	false
SSDEEP:	192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
MD5:	4ADD245D4BA34B04F213409BFE504C07
SHA1:	EF756D6581D70E87D58CC4982E3F4D18E0EA5B09
SHA-256:	9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
SHA-512:	1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 3%, Browse
Joe Sandbox View:	Filename: ZAMOWIEN.BAT.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: RFQ_BDS636011.exe, Detection: malicious, Browse Filename: Quotation.exe, Detection: malicious, Browse Filename: CERTIFICADO TITULARIDAD.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.4932.17674.exe, Detection: malicious, Browse Filename: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...S.d...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\eftermodnendes\ringeagt\Daystars216.tre

Download File

Process:	C:\Users\user\Desktop\2T10XBqS6g.exe
File Type:	data
Category:	dropped
Size (bytes):	114454
Entropy (8bit):	1.2519787240577294
Encrypted:	false
SSDEEP:	768:RRDt23AKhN87PfNufvVxTfdx5U5Flf6VAETw:YEevVx2h
MD5:	F85E20AA1A28EEFFC89F744F6B6B67B3
SHA1:	B61AEF131017C5605647983CE2D55769914BB104
SHA-256:	C388ED22B7E44C0C3FDD6D064DD070DCA64CEA1E83D6151566641E7438C346ED
SHA-512:	EA89503F496B30DA5EAA74BB479007BB6B93463B775F16810A4391E79389A219398AC81DCCDD79C3F60E85DF77AA985E405BDF7B477C8F3217ECC3B7460BEE6A
Malicious:	false
Preview:	...............................m.......................5............}.......t......^..................................................)..........................................;......B.......................................................................*....................3.......s.......................+.+...@=.......O..........................G...................M...........g...................#.........................................................................................................v......................e........n......,...................b.................................e.................Y.......=..........................................................a........j.../.........#..........................`..................................>........\..................................... ..................................................g..R.........................................................................g...............................N....................

C:\Users\user\eftermodnendes\ringeagt\Skvinge18.alt

Download File

Process:	C:\Users\user\Desktop\2T10XBqS6g.exe
File Type:	data
Category:	dropped
Size (bytes):	310550
Entropy (8bit):	1.2527719188567612
Encrypted:	false
SSDEEP:	1536:CfvXvtPDO00Rz1DXs2sASdJwvyfnpZkL:klDO0MDRS9k
MD5:	72FA348549D0BD9CE66E5F3EBA54DF3A
SHA1:	D5B4797D07374226CD8173964DF8753F4ABB9E6E
SHA-256:	7F24A44B47D2C036AACE03D4F5EBEA053CED6ED06CE01ED70E6FD8AEE8211CC9
SHA-512:	D375FC28BBA68A52E4C2CB97A9ADA416D38F29B21004F1853DC14ACF28CDE2A802D51FD66901D993DAA58E50D8C87FD2A8827482633B0B9874FF64F8442492B1
Malicious:	false
Preview:	...e......J.........................................................................................................................................J........K...............................L...........................v.............................................................................%..:...................F.................................................................\|...1.....A..................................1........d...................J..X..........................x..............x..."..........................`.........................................................[...................t.......................2..............................................................................t....................................................$...\...............!..........................\|....................................r.............................W.............................................X.....................................................q.................

C:\Users\user\eftermodnendes\ringeagt\Sufferers.Gyr

Download File

Process:	C:\Users\user\Desktop\2T10XBqS6g.exe
File Type:	data
Category:	dropped
Size (bytes):	309745
Entropy (8bit):	7.569098036898635
Encrypted:	false
SSDEEP:	6144:5GCTw0AM098lISZXIUDvtA5QNQWjM3Yt+kZ+NCiyC6:kCTw03L9ZXI4a2QGM3HkX1
MD5:	E5DB339C9BC74BBBF87F00D895C3CE7D
SHA1:	7E81D22286BBC4F9DE3EE19632FE4393C000A19C
SHA-256:	85BD4C3E0830FF240D546F22B590A70A78C9D273ABEDCEC034C07794A170A319
SHA-512:	A6ECC38DD64383B6355111D7454FDE81B103601439AB7B9C83951A4CCE182031D16BE5E1096C905335E1C970942875B8CD35BFC400AF3CF470DBFE527832576F
Malicious:	false
Preview:	...................................."..}}}}........&..u..44.@.......SS.........eeee.........]....................****............c..............................C.MM...........HH...................II....................{{{{......aaaa......tt...................h............a..V.............$............ee...NNN.U...Y.G........:...............................\|\|................V.''''.....................;..W.`...GG...77.......Z.U.ll......d.iiii.WWWW................4..OO............RRRR.l..........T.................F.......................f.........i...............................22.....E........F...................;............ttt......."".......%............>>.JJJJ.~~.......................I........Q..........................S.YYY...................w..V.....\|..@@.$$.<........(.'''''.....h...................WW...\|\|.;.9999...s...&...ii..a...::::..N..........!..>....i.11.....y.....3..M..x..............oo........=...aa........0..........)...........r.........ii.............}}...........ooo...

C:\Users\user\eftermodnendes\ringeagt\bttefulde.tox

Download File

Process:	C:\Users\user\Desktop\2T10XBqS6g.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 0-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 8589934592.000000
Category:	dropped
Size (bytes):	267655
Entropy (8bit):	1.2559804952290619
Encrypted:	false
SSDEEP:	768:HbUhrUe+zlum+LaFrAX40edupFSsZVfeTkVhbbCGx6+ZOoJrrSVlRM9k8rZgQWze:ICFg/VP97pb14sZg
MD5:	F6A4342C9271CFFEF29695EEA330941E
SHA1:	291ABCFA507BA730832511E5F47EAA2CB4DFABBD
SHA-256:	605B31C886C5989625152D1CD58BCACF2827DE36CC67B5D94D6B425955CEDBA6
SHA-512:	D839DD8E3D74B7500F32318403BEAC3BA2DA83C48EF21555E78D368AA0404AC750DB1DD7EB8A7196DA32FBE3D880B66ED3166A39F17D8D0D13C9C4B19435530C
Malicious:	false
Preview:	...........T.........'......'....A........s.................@.....................................................................N......M...........^................................t............Q.......R...r.........................................................6..................Q...I........<....d......................................................................................B.....p............/.........................................."...b..@...................Q...........!.................................f............................`.................d.................................L.........f...o....................................................................................s...................i.....................S.b..A...............................................................U..o................................................................../...............................................................................................`..................

C:\Users\user\eftermodnendes\ringeagt\utidige.Gau

Download File

Process:	C:\Users\user\Desktop\2T10XBqS6g.exe
File Type:	data
Category:	dropped
Size (bytes):	133033
Entropy (8bit):	4.593734870096358
Encrypted:	false
SSDEEP:	1536:sS8+1gLo/MpFTtd62wA8i0rH/SHGphackCh1Up78GsvP2Jl275nr4okWO/h:BgL6MpFberHX9JhBPBEokr
MD5:	5571C0F9CABA24DDC31B19F2680AC58C
SHA1:	7D80A671FCE50A911EC74C527770D6D1EC92C0FC
SHA-256:	21B871645A5DE53B99910AC3F464A5E9C6C29715603F4975F437C2A9FF3B264A
SHA-512:	8E33180BA9D6165C44B03B56A8224C7D0F2FBACB06102C0FD195391F2350DE648AC4CAB82D58D59D87B83519B484242061F4122082099B6595F91C090FFBEA89
Malicious:	false
Preview:	....>..............o.............'.............{.......TT.............b....222222.....LL.w......UU.,.....##..............\|\|........._..........~~~~~..jj...D...MMM...............................[...j......'.................>>..ccccc............................k...........................mmm.............$$...................{.......................VV.....UUU.....33.........L.ww....LLLL...................Y........ss.*......b..........................F................n...88...l.&.....@@..........l........q.......GG.........................r.......PP..C....y......................................EE............i.......F.>...........(...........g..........{{..E........................--......................-.................;.............bb.....ssssss...WW.....WW.E..).._.....[[.NNN.........u.....X..q......IIII...qq...............xxx...pp..............x..........oo......-.................................G..............................................[.u....................OOOOO................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.733854525663187
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	2T10XBqS6g.exe
File size:	578'624 bytes
MD5:	5266c53649caa9edea2f4ab58d58f511
SHA1:	cc4dea13bd65697ef12e10cc404fbebca42f48ee
SHA256:	70c1d9f480bba58360e42af222d4c1a3ff7dc5d0f2a6d96b1650dc6076027d52
SHA512:	3284c03bbdc622d6f4f2dfc2f77e37540e9007382e1c44cc1b98cc0aebf63c125c1560b59d429f8780a2b0d0450bd31566b946c4daa6f3c142520c25bd01e56f
SSDEEP:	12288:UnPdMEc/A4e/wKOBwCYSUu9EEwH5IvhJGspQCZu6:EPdMEc/AN/XOBwCYSN9EEwZI6spQR6
TLSH:	4EC4F1F6F650C267E61F0D34DA72A8F01990BC39D1D1483B43A47DADF472A62589BA0F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...g..d.................h...".....

File Icon


Icon Hash:	4571753721719a8d

Static PE Info

General

Entrypoint:	0x403645
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC67 [Sun Jul 2 02:09:43 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	9dda1a1d1f8a1d13ae0297b47046b26e

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A230h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A0h]
mov esi, dword ptr [004080A4h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007FBE48BA4F6Ah
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007FBE48BA4F38h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [00429B18h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4a000	0x18858	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x66b7	0x6800	e65344ac983813901119e185754ec24e	False	0.6607196514423077	data	6.4378696011937135	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	bd82d08a08da8783923a22b467699302	False	0.4431640625	data	5.103358601944578	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1fb78	0x600	caa377d001cfc3215a3edff6d7702132	False	0.5091145833333334	data	4.126209888385862	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x20000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4a000	0x18858	0x18a00	73bbe3fdd1585fbd610b24874590b455	False	0.22416322969543148	data	5.2980000367452575	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4a418	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.14908908079971608
RT_ICON	0x5ac40	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.27520746887966807
RT_ICON	0x5d1e8	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.3553001876172608
RT_ICON	0x5e290	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.48667377398720685
RT_ICON	0x5f138	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.43934426229508194
RT_ICON	0x5fac0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.569043321299639
RT_ICON	0x60368	0x6c8	Device independent bitmap graphic, 24 x 48 x 8, image size 672	English	United States	0.5552995391705069
RT_ICON	0x60a30	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.18841463414634146
RT_ICON	0x61098	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.4869942196531792
RT_ICON	0x61600	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.598404255319149
RT_ICON	0x61a68	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.26344086021505375
RT_ICON	0x61d50	0x1e8	Device independent bitmap graphic, 24 x 48 x 4, image size 384	English	United States	0.3094262295081967
RT_ICON	0x61f38	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.42905405405405406
RT_DIALOG	0x62060	0x100	data	English	United States	0.5234375
RT_DIALOG	0x62160	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x62280	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x622e0	0xbc	data	English	United States	0.601063829787234
RT_VERSION	0x623a0	0x174	data	English	United States	0.5860215053763441
RT_MANIFEST	0x62518	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, WriteFile, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, CreateFileW, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, CopyFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 10:56:47.635592937 CET	61352	53	192.168.2.25	1.1.1.1
Jan 14, 2025 10:56:47.640618086 CET	53	61352	1.1.1.1	192.168.2.25
Jan 14, 2025 10:56:47.640731096 CET	61352	53	192.168.2.25	1.1.1.1
Jan 14, 2025 10:56:47.645850897 CET	53	61352	1.1.1.1	192.168.2.25
Jan 14, 2025 10:56:48.107575893 CET	61352	53	192.168.2.25	1.1.1.1
Jan 14, 2025 10:56:48.112653971 CET	53	61352	1.1.1.1	192.168.2.25
Jan 14, 2025 10:56:48.112729073 CET	61352	53	192.168.2.25	1.1.1.1

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Jan 14, 2025 10:56:47.634723902 CET	53	58475	1.1.1.1	192.168.2.25

Target ID:	2
Start time:	04:56:57
Start date:	14/01/2025
Path:	C:\Users\user\Desktop\2T10XBqS6g.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\2T10XBqS6g.exe"
Imagebase:	0x400000
File size:	578'624 bytes
MD5 hash:	5266C53649CAA9EDEA2F4AB58D58F511
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.3824728797.0000000003120000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	37
Start time:	04:59:49
Start date:	14/01/2025
Path:	C:\Windows\System32\SystemSettingsBroker.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\System32\SystemSettingsBroker.exe -Embedding
Imagebase:	0x7ff751e40000
File size:	220'536 bytes
MD5 hash:	899E65893CDEE7F9022DC9B583F94F0F
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	39
Start time:	04:59:50
Start date:	14/01/2025
Path:	C:\Windows\System32\drivers\rassstp.sys
Wow64 process (32bit):	false
Commandline:
Imagebase:	0x7ff77f310000
File size:	122'880 bytes
MD5 hash:	6931A955F0697B3A675E3F1B1B058D96
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	40
Start time:	04:59:50
Start date:	14/01/2025
Path:	C:\Windows\System32\drivers\ndproxy.sys
Wow64 process (32bit):
Commandline:
Imagebase:
File size:	122'880 bytes
MD5 hash:	8236B9B87FCB51A225A5B69A23C6DCBA
Has elevated privileges:
Has administrator privileges:
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	15.9%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16%
Total number of Nodes:	1603
Total number of Limit Nodes:	35

Executed Functions

Function 00403645 Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403668
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403693
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 004036A6
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040373F
#17.COMCTL32(?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 0040377C
OleInitialize.OLE32(00000000), ref: 00403783
SHGetFileInfoW.SHELL32(00420F08,00000000,?,000002B4,00000000), ref: 004037A2
GetCommandLineW.KERNEL32(00428A60,NSIS Error,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 004037B7
CharNextW.USER32(00000000,"C:\Users\user\Desktop\2T10XBqS6g.exe",?,"C:\Users\user\Desktop\2T10XBqS6g.exe",00000000,?,?,0000000A,?), ref: 004037F0
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403928
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403939
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403945
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403959
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403961
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403972
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 0040397A
DeleteFileW.KERNELBASE(1033,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 0040398E
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\2T10XBqS6g.exe",00000000,?,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403A67

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,?,0000000A,?), ref: 0040668F

wsprintfW.USER32 ref: 00403AC4
GetFileAttributesW.KERNEL32(0042C800,C:\Users\user\AppData\Local\Temp\), ref: 00403AF7
DeleteFileW.KERNEL32(0042C800), ref: 00403B03
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403B31

Part of subcall function 00406442: MoveFileExW.KERNEL32(?,?,00000005,00405F40,?,00000000,000000F1,?,?,?,?,?), ref: 0040644C

CopyFileW.KERNEL32(C:\Users\user\Desktop\2T10XBqS6g.exe,0042C800,?,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403B47

Part of subcall function 00405C65: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
Part of subcall function 00405C65: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

Part of subcall function 004069DF: FindFirstFileW.KERNELBASE(7511ED70,00425F98,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,004060A2,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,7511ED70,?,7511E810,00405DAE,?,7511ED70,7511E810), ref: 004069EA
Part of subcall function 004069DF: FindClose.KERNEL32(00000000), ref: 004069F6

OleUninitialize.OLE32(?,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403B95
ExitProcess.KERNEL32 ref: 00403BB2
CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,0042C800,00000000), ref: 00403BB9
GetCurrentProcess.KERNEL32(?,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403BD5
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403BDC
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403BF1
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403C14
ExitWindowsEx.USER32(00000002,80040002), ref: 00403C39
ExitProcess.KERNEL32 ref: 00403C5C

Part of subcall function 00405C30: CreateDirectoryW.KERNELBASE(?,00000000,00403638,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,?,0000000A,?), ref: 00405C36

Strings

NSIS Error, xrefs: 004037A8
Low, xrefs: 0040395B
TMP, xrefs: 00403975
C:\Users\user\eftermodnendes\ringeagt, xrefs: 0040390D, 00403A2F, 00403A7C, 00403A8A
~nsu%X.tmp, xrefs: 00403ABB
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040365C
Error launching installer, xrefs: 00403A10
SeShutdownPrivilege, xrefs: 00403BEB
"C:\Users\user\Desktop\2T10XBqS6g.exe", xrefs: 004037BD, 004037C3, 004037D8, 004039B6
C:\Users\user\AppData\Local\Temp\, xrefs: 0040391D, 00403922, 00403938, 00403944, 00403953, 00403960, 0040396C, 00403974, 00403A62, 00403AE3, 00403B0F, 00403B30, 00403B39
C:\Users\user\Desktop\2T10XBqS6g.exe, xrefs: 00403B42
1033, xrefs: 00403989
\Temp, xrefs: 0040393F
UXTHEME, xrefs: 00403733, 00403738, 0040373E
TEMP, xrefs: 0040396D
user32::EnumWindows(i r1 ,i 0), xrefs: 00403A72

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "C:\Users\user\Desktop\2T10XBqS6g.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\2T10XBqS6g.exe$C:\Users\user\eftermodnendes\ringeagt$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$user32::EnumWindows(i r1 ,i 0)$~nsu%X.tmp
API String ID: 1813718867-1787870659
Opcode ID: 0478bff6c520e1fcae09ae2a6132b709cffae3f0026663cdf2ec71cee886cdca
Instruction ID: d2a3103bd0adf94391fd0ebfa47e937d37e61a7cc597b22c14a72094b2238e17
Opcode Fuzzy Hash: 0478bff6c520e1fcae09ae2a6132b709cffae3f0026663cdf2ec71cee886cdca
Instruction Fuzzy Hash: 4CF1E531604300AAD320AF759D05B2B7EE8AB8570AF11483FF585B22D1DB7C9A41CB6E

Function 00405D8E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,7511ED70,7511E810,"C:\Users\user\Desktop\2T10XBqS6g.exe"), ref: 00405DB7
lstrcatW.KERNEL32(00424F50,\*.*,00424F50,?,?,7511ED70,7511E810,"C:\Users\user\Desktop\2T10XBqS6g.exe"), ref: 00405DFF
lstrcatW.KERNEL32(?,0040A014,?,00424F50,?,?,7511ED70,7511E810,"C:\Users\user\Desktop\2T10XBqS6g.exe"), ref: 00405E22
lstrlenW.KERNEL32(?,?,0040A014,?,00424F50,?,?,7511ED70,7511E810,"C:\Users\user\Desktop\2T10XBqS6g.exe"), ref: 00405E28
FindFirstFileW.KERNEL32(00424F50,?,?,?,0040A014,?,00424F50,?,?,7511ED70,7511E810,"C:\Users\user\Desktop\2T10XBqS6g.exe"), ref: 00405E38
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405ED8
FindClose.KERNEL32(00000000), ref: 00405EE7

Strings

"C:\Users\user\Desktop\2T10XBqS6g.exe", xrefs: 00405D97
\*.*, xrefs: 00405DF9
POB, xrefs: 00405DE7

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\2T10XBqS6g.exe"$POB$\*.*
API String ID: 2035342205-1142732839
Opcode ID: 3d2f7fed8d6250162ff3c39f7b63e528597fb1dc0209ffdda96aed75cda8f6cd
Instruction ID: 5ad7ae4105776224b4bb644c15053e07d5ebc7bd6c5330578b1f64027da07968
Opcode Fuzzy Hash: 3d2f7fed8d6250162ff3c39f7b63e528597fb1dc0209ffdda96aed75cda8f6cd
Instruction Fuzzy Hash: 6F41D330400A15AACB21AB65CC49BBF7678EF41718F24417FF895B11C1D77C4A82DEAE

Function 00406DA0 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ef02b19721ac815a4354a2b384e5822db0a29b40c19b0eeafe3a712687496ea
Instruction ID: 5203db86b2e08fd3ebfde089d8ff8c44169432d1db75552ad8ea7513f2b1afa9
Opcode Fuzzy Hash: 3ef02b19721ac815a4354a2b384e5822db0a29b40c19b0eeafe3a712687496ea
Instruction Fuzzy Hash: 64F16570D04229CBDF28CFA8C8946ADBBB1FF44305F25856ED856BB281D7385A86CF45

Function 004069DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(7511ED70,00425F98,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,004060A2,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,7511ED70,?,7511E810,00405DAE,?,7511ED70,7511E810), ref: 004069EA
FindClose.KERNEL32(00000000), ref: 004069F6

Strings

C:\Users\user\AppData\Local\Temp\nsnB301.tmp, xrefs: 004069DF

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsnB301.tmp
API String ID: 2295610775-1217847721
Opcode ID: 5aa02b152b1bdaa4a45d264aeb005cec44e37fe5ecd5a9a233d7a39d055da6f3
Instruction ID: 87b64c9cece2c57c139ea7904c9da033401fae8fb112df8880c97ca139bbac6e
Opcode Fuzzy Hash: 5aa02b152b1bdaa4a45d264aeb005cec44e37fe5ecd5a9a233d7a39d055da6f3
Instruction Fuzzy Hash: EBD012716096205BD64067386E0C94B7A589F16331722CA36F06BF21E0D7348C628A9C

Function 00403D54 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406A76: GetModuleHandleA.KERNEL32(?,?,?,00403755,?,?,?,?,?,?,?,?,?), ref: 00406A88
Part of subcall function 00406A76: GetProcAddress.KERNEL32(00000000,?), ref: 00406AA3

lstrcatW.KERNEL32(1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000,00000002,7511ED70,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\2T10XBqS6g.exe",00008001), ref: 00403DD5
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\eftermodnendes\ringeagt,1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000,00000002,7511ED70), ref: 00403E55
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\eftermodnendes\ringeagt,1033,00422F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F48,00000000), ref: 00403E68
GetFileAttributesW.KERNEL32(Call), ref: 00403E73
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\eftermodnendes\ringeagt), ref: 00403EBC

Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6

RegisterClassW.USER32(00428A00), ref: 00403EF9
SystemParametersInfoW.USER32(?,00000000,?,00000000), ref: 00403F11
CreateWindowExW.USER32(?,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403F46
ShowWindow.USER32(00000005,00000000), ref: 00403F7C
GetClassInfoW.USER32(00000000,RichEdit20W,00428A00), ref: 00403FA8
GetClassInfoW.USER32(00000000,RichEdit,00428A00), ref: 00403FB5
RegisterClassW.USER32(00428A00), ref: 00403FBE
DialogBoxParamW.USER32(?,00000000,00404102,00000000), ref: 00403FDD

Strings

RichEd32, xrefs: 00403F90
Control Panel\Desktop\ResourceLocale, xrefs: 00403D88
.exe, xrefs: 00403E62
Call, xrefs: 00403E1C, 00403E25, 00403E33, 00403E82, 00403E88
C:\Users\user\eftermodnendes\ringeagt, xrefs: 00403DE4, 00403DEC, 00403E8F, 00403E95, 00403EA5
RichEdit20W, xrefs: 00403FA0, 00403FA6
RichEdit, xrefs: 00403FAF
RichEd20, xrefs: 00403F82
"C:\Users\user\Desktop\2T10XBqS6g.exe", xrefs: 00403D57
C:\Users\user\AppData\Local\Temp\, xrefs: 00403D59
H/B, xrefs: 00403D80
_Nb, xrefs: 00403ED8, 00403F40
1033, xrefs: 00403D74, 00403DD0
.DEFAULT\Control Panel\International, xrefs: 00403DC0

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\2T10XBqS6g.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\eftermodnendes\ringeagt$Call$Control Panel\Desktop\ResourceLocale$H/B$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-4202538630
Opcode ID: 1dbc0aa764a7a3bc96806bc1c5cdbb5ab10d7d6512463466f43f37ee2b0e4de0
Instruction ID: 33830a549d8bd1c9ff3d4095a28b7d5feb3a0022977f60bfd4e6bbc11b1c7dcb
Opcode Fuzzy Hash: 1dbc0aa764a7a3bc96806bc1c5cdbb5ab10d7d6512463466f43f37ee2b0e4de0
Instruction Fuzzy Hash: 4661D570200741BAD620AB669E46F2B3A7CEB84709F41453FFA45B61E2DF795902CB2D

Function 004030D5 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 204
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004030E9
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\2T10XBqS6g.exe,00000400), ref: 00403105

Part of subcall function 00406172: GetFileAttributesW.KERNELBASE(00000003,00403118,C:\Users\user\Desktop\2T10XBqS6g.exe,80000000,00000003), ref: 00406176
Part of subcall function 00406172: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406198

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,00435800,00435800,C:\Users\user\Desktop\2T10XBqS6g.exe,C:\Users\user\Desktop\2T10XBqS6g.exe,80000000,00000003), ref: 0040314E
GlobalAlloc.KERNELBASE(?,00008001), ref: 00403290

Strings

Inst, xrefs: 004031BA
Null, xrefs: 004031CC
Error launching installer, xrefs: 00403125
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403327
"C:\Users\user\Desktop\2T10XBqS6g.exe", xrefs: 004030DE
C:\Users\user\AppData\Local\Temp\, xrefs: 004030DF, 004032A8
soft, xrefs: 004031C3
C:\Users\user\Desktop\2T10XBqS6g.exe, xrefs: 004030EF, 004030FE, 00403112, 0040312F
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004032D9

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\2T10XBqS6g.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\2T10XBqS6g.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-285632637
Opcode ID: e25ddccf2931d554cf8ae4c0c3bfc4e86d8fe1291d5fc5cd744d09a7651939d3
Instruction ID: fa10dec2ede943269712b0c7dd26c00cc534fb31fc6fa5581d899c5550bae655
Opcode Fuzzy Hash: e25ddccf2931d554cf8ae4c0c3bfc4e86d8fe1291d5fc5cd744d09a7651939d3
Instruction Fuzzy Hash: 0171B071E00204ABDB20DFA4ED86B9E7AACAB04316F60457FF515B62D1CB7C9E418B5C

Function 004066BF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004067E1
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,00421F28,?,?,00000000,00000000,00000000,00000000), ref: 004067F7
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 00406855
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 0040685E
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,00000000,00421F28,?,?,00000000,00000000,00000000,00000000), ref: 00406889
lstrlenW.KERNEL32(Call,00000000,00421F28,?,?,00000000,00000000,00000000,00000000), ref: 004068E3

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406883
Software\Microsoft\Windows\CurrentVersion, xrefs: 004067B2
Call, xrefs: 004066EC, 004067A6, 004067AD, 004067B1, 004067CA, 004067CB, 004067E0, 004067F6, 00406827, 00406853, 00406888, 0040688E, 004068AB, 004068BE, 004068DC, 004068E2, 004068EB, 00406920
user32::EnumWindows(i r1 ,i 0), xrefs: 004068B8

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch$user32::EnumWindows(i r1 ,i 0)
API String ID: 4024019347-3319343437
Opcode ID: 6f2761d7cb5587a470c052371fa5fb6b0836c691dcd2ac77b9ed8a87730eab65
Instruction ID: 4a93dbd931fcfc477af1f24740db1e2af50c51fdf4929e220b088375b48f32a9
Opcode Fuzzy Hash: 6f2761d7cb5587a470c052371fa5fb6b0836c691dcd2ac77b9ed8a87730eab65
Instruction Fuzzy Hash: 586147B26053005BEB206F25DD80B6B77E8AB54318F26453FF587B22D0DB3C8961875E

Function 00401774 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,00435000,?,?,00000031), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,00435000,?,?,00000031), ref: 004017DA

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,?,0000000A,?), ref: 0040668F

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Strings

Call, xrefs: 00401792, 0040179B, 004017A8, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B
C:\Users\user\AppData\Local\Temp\nsnB301.tmp\System.dll, xrefs: 0040183A, 00401856
C:\Users\user\AppData\Local\Temp\nsnB301.tmp, xrefs: 00401826, 00401844

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsnB301.tmp$C:\Users\user\AppData\Local\Temp\nsnB301.tmp\System.dll$Call
API String ID: 1941528284-3498836143
Opcode ID: 92a9eda8d8825c9069b007790ea2e2b4818238bc92c10959f2c45e0ca5d33b48
Instruction ID: 8b6fd23670850fd9ae356807d0398338211ecbfbdba6d544e24b7f39de498ea1
Opcode Fuzzy Hash: 92a9eda8d8825c9069b007790ea2e2b4818238bc92c10959f2c45e0ca5d33b48
Instruction Fuzzy Hash: 7541A331900109FACF11BBB5CD85DAE7A79EF41329B21423FF422B10E1D73D8A91966D

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,?,?,?,?,?), ref: 00402798
SetFilePointer.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,?,?,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004027D1

Part of subcall function 00406253: SetFilePointer.KERNEL32(?,00000000,00000000,?), ref: 00406269

SetFilePointer.KERNEL32(?,?,?,?,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 92e9fc4a2bdedd92fae86453cef36d5fd9ef34bcac34679d19d253eb0147ccd2
Instruction ID: 4accc3969fe2a7d0a9ccf1f8c11f2542f9fe60139f427c4dffc821b6e73cd172
Opcode Fuzzy Hash: 92e9fc4a2bdedd92fae86453cef36d5fd9ef34bcac34679d19d253eb0147ccd2
Instruction Fuzzy Hash: F3510B75D0011AABDF24AF94CA84AAEBB79FF04344F10817BE901B62D0D7B49D828B58

Function 00406A06 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A1D
wsprintfW.USER32 ref: 00406A58
LoadLibraryExW.KERNEL32(?,00000000,?), ref: 00406A6C

Strings

%s%S.dll, xrefs: 00406A52
UXTHEME, xrefs: 00406A0F

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
Instruction ID: 2238e0f1a46f5e25e3951852f43a11dddaa5b7c7f32292af2b6637a080077407
Opcode Fuzzy Hash: bea2c3dfad6db3553b24c87bd1a60070de232aee380c5cee9c100d0800ee2260
Instruction Fuzzy Hash: DFF0FC30601119A7CB14BB68DD0EFAB375C9B01704F10847AA646F10D0EB789664CF98

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
Instruction ID: 09cb529ade84319239dc5b50ebc61ba38ec7146c59f77be9acf979a475766563
Opcode Fuzzy Hash: b11fc5b6ae31e3f7bcdb9db3b4e616a20ad73eae00ded2b204568f86272eb2db
Instruction Fuzzy Hash: FD218B7150011ABFDF119F90CE89EEF7B7DEB10388F100076B949B11E0D7B48E54AA68

Function 6E1D1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6E1D1BFF: GlobalFree.KERNEL32(?), ref: 6E1D1E74
Part of subcall function 6E1D1BFF: GlobalFree.KERNEL32(?), ref: 6E1D1E79
Part of subcall function 6E1D1BFF: GlobalFree.KERNEL32(?), ref: 6E1D1E7E

GlobalFree.KERNEL32(00000000), ref: 6E1D18C5
FreeLibrary.KERNEL32(?), ref: 6E1D194B
GlobalFree.KERNEL32(00000000), ref: 6E1D1970

Part of subcall function 6E1D243E: GlobalAlloc.KERNEL32(?,?), ref: 6E1D246F

Part of subcall function 6E1D2810: GlobalAlloc.KERNEL32(?,00000000,?,?,00000000,?,?,?,6E1D1896,00000000), ref: 6E1D28E0

Part of subcall function 6E1D1666: wsprintfW.USER32 ref: 6E1D1694

Strings

, xrefs: 6E1D1951

Memory Dump Source

Source File: 00000002.00000002.3826398582.000000006E1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E1D0000, based on PE: true

Associated: 00000002.00000002.3826375791.000000006E1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826592395.000000006E1D4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826642284.000000006E1D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e1d0000_2T10XBqS6g.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 23ca5242b269d5880db11d17b7ef1d2ad12370715acc91f4bfd0a4f54092b842
Instruction ID: b3d87b4a91b6f004674ba2ad25924ac579fa88eec1d9355eb4169886181806b3
Opcode Fuzzy Hash: 23ca5242b269d5880db11d17b7ef1d2ad12370715acc91f4bfd0a4f54092b842
Instruction Fuzzy Hash: A441A3716002469BDF04DFE4D884BDA37ACBF15318F248865ED259A086DBB4D4CCF760

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 483d17516720e2e8ab10c88a8952f1e8a1428c38e87ce861c3d636333663c13f
Instruction ID: 6f1bda49a4997cd21eb3df4025a59d3ac8dc5d95b16fa6faa4f7de2005ea5abe
Opcode Fuzzy Hash: 483d17516720e2e8ab10c88a8952f1e8a1428c38e87ce861c3d636333663c13f
Instruction Fuzzy Hash: 57219C7191421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941CB98

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsnB301.tmp,00000023,00000011,00000002), ref: 004024DA
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,00000000,00000011,00000002), ref: 0040251A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,00000000,00000011,00000002), ref: 00402602

Strings

C:\Users\user\AppData\Local\Temp\nsnB301.tmp, xrefs: 004024CB, 004024D9, 004024F0, 00402504, 0040250F

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsnB301.tmp
API String ID: 2655323295-1217847721
Opcode ID: 30c8621953cd876262fbd94b52e9500918e6bc3baaa165e74801803e0a09f0dc
Instruction ID: be9c33e72f15a848a09509bfe82e7b73cbf05d8b6c9bfbfc98f7540490fedb8c
Opcode Fuzzy Hash: 30c8621953cd876262fbd94b52e9500918e6bc3baaa165e74801803e0a09f0dc
Instruction Fuzzy Hash: 26119D31900118AEEB10EFA5DE59EAEBAB4AB44318F10483FF404B61C0C7B88E019A58

Function 004061A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004061BF
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403643,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F), ref: 004061DA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004061A6
nsa, xrefs: 004061AE

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2083210678
Opcode ID: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
Instruction ID: d5af49f5aac0e4cb02feadf6e990f33ccb34da23aa7fbf3522b8764b63faf6c0
Opcode Fuzzy Hash: ca4f867381b256d976a036b4ee2479ffffcb38332db50c9e5a73bf50e74bc53e
Instruction Fuzzy Hash: 90F09076701204BFEB008F59DD05E9EB7BCEBA5710F11803EF901F7240E6B49A648764

Function 004071D5 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5aa4d090f2ad8984d83f4f4e641c2e75da78772a5538c6e641319c1bffeb23fb
Instruction ID: 5108979c3f50e514b4d7e1fb6dd8ed840f295859cf3be547aab63c341a9fbe83
Opcode Fuzzy Hash: 5aa4d090f2ad8984d83f4f4e641c2e75da78772a5538c6e641319c1bffeb23fb
Instruction Fuzzy Hash: 8BA14471E04228DBDF28CFA8C8446ADBBB1FF44305F14856AD856BB281C7786A86DF45

Function 004073D6 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d5ea1f57b3c7a51107eeb32950adad6d0a1e952e0bb086014bf19e576e1a16a
Instruction ID: e1ca38fbe1868b0530a5cca2aefb0608b46060051e5a62990b8a86f9073b7715
Opcode Fuzzy Hash: 8d5ea1f57b3c7a51107eeb32950adad6d0a1e952e0bb086014bf19e576e1a16a
Instruction Fuzzy Hash: 61912370D04228CBDF28CF98C8547ADBBB1FF44305F14856AD856BB291C778AA86DF45

Function 004070EC Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a4d9994a082143c1c144eb36683b4c65f38247d7a35d367480abefccda07661
Instruction ID: c8babd12d4b9043659ede3bd230c10fd4be49189821a01af26e4b19fb55261c2
Opcode Fuzzy Hash: 2a4d9994a082143c1c144eb36683b4c65f38247d7a35d367480abefccda07661
Instruction Fuzzy Hash: B1813571D04228DBDF24CFA8C8847ADBBB1FF44305F24856AD456BB281C778AA86DF45

Function 00406BF1 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14ce6b3d8018a6f0b050b5be2694dad1ee6778a4c7b40431f4b258f42aa93ca
Instruction ID: 70604387997e4686e0750d9790b47f8334db0f7ece30ebb4bbc07469160fd387
Opcode Fuzzy Hash: b14ce6b3d8018a6f0b050b5be2694dad1ee6778a4c7b40431f4b258f42aa93ca
Instruction Fuzzy Hash: A4816571D04228DBDF24CFA8C8447ADBBB0FF44315F20856AD856BB281C7786A86DF45

Function 0040703F Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e36820fe09b78ea4b76e3bf6ab2fb301930f737046964227b4143800bf5a8c7d
Instruction ID: 95d77a19c0962547fc3f67c13c4944abdc30b9b20558c44938f244593de0d4a6
Opcode Fuzzy Hash: e36820fe09b78ea4b76e3bf6ab2fb301930f737046964227b4143800bf5a8c7d
Instruction Fuzzy Hash: 49713471D04228CBDF24CFA8C8847ADBBB1FF48305F15806AD856BB281C7386986DF45

Function 0040715D Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06ef8f5a1822f0b757ae31e3b83f809751af444a1e9c2dfe7d230d3dce02f925
Instruction ID: 33b9de73c5357426475d1ecb6718d507a7f793f52192090568aa5f1be2fe3f26
Opcode Fuzzy Hash: 06ef8f5a1822f0b757ae31e3b83f809751af444a1e9c2dfe7d230d3dce02f925
Instruction Fuzzy Hash: D8714671E04228CBDF28CF98C8847ADBBB1FF44305F15856AD856BB281C7786986DF45

Function 004070A9 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfd14bdf320e39a62d2c2df30edf7cb1e1c63a24431ff8987f761f3d68dc011c
Instruction ID: eebb37c65e2131d6119e05978ba22ffeb7e1a1a57c5d17d20a151e235b5fbeda
Opcode Fuzzy Hash: cfd14bdf320e39a62d2c2df30edf7cb1e1c63a24431ff8987f761f3d68dc011c
Instruction Fuzzy Hash: DD714771E04228DBEF28CF98C8447ADBBB1FF44305F15816AD856BB281C7786A86DF45

Function 0040347E Relevance: 4.6, APIs: 3, Instructions: 101COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403492

Part of subcall function 004035FD: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FB,?), ref: 0040360B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,004033A8,00000004,00000000,00000000,?,?,00403322,000000FF,00000000,00000000,00008001,?), ref: 004034C5
SetFilePointer.KERNELBASE(00119FB8,00000000,00000000,00414EF0,00004000,?,00000000,004033A8,00000004,00000000,00000000,?,?,00403322,000000FF,00000000), ref: 004035C0

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 1344b17e1481b80582bdb0ed23b8c3804af25e72a501c03e477dd398e9b7707c
Instruction ID: 0007fe48f9bd4e0bdf6fbdcb7c574e60e63cda3bf49c02497359f5fe5cde5340
Opcode Fuzzy Hash: 1344b17e1481b80582bdb0ed23b8c3804af25e72a501c03e477dd398e9b7707c
Instruction Fuzzy Hash: C7319172600215EBC7309F29EE848163BADF744356755023BE501B26F1CBB5AE42DB9D

Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,?), ref: 00402108

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

LoadLibraryExW.KERNEL32(00000000,?,?,?,?), ref: 00402119
FreeLibrary.KERNEL32(?,?,000000F7,?,?,?,?,?), ref: 00402196

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: cd3871a4674ab2d20781c98e55c83c75f0414bc3aa5ab025748cc012411ec63e
Instruction ID: d5d67dfdf4745362115819af7549d82072a8f7f049e0964222285d8f4f4a232d
Opcode Fuzzy Hash: cd3871a4674ab2d20781c98e55c83c75f0414bc3aa5ab025748cc012411ec63e
Instruction Fuzzy Hash: ED215031904108EADF11AFA5CE49A9E7A71FF44359F20413BF201B91E1CBBD8982AA5D

Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(0062D108), ref: 00401C10
GlobalAlloc.KERNELBASE(?,00000804), ref: 00401C22

Strings

Call, xrefs: 00401BC7, 00401BCD, 00401BE7

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 1123cc6a0f383144ca4e0a98b12c217c63afdee534dd3928be857bb34d6716f0
Instruction ID: 755843c12eef3f61fe3821796784c52372e38f60d99e915cd62482290075d307
Opcode Fuzzy Hash: 1123cc6a0f383144ca4e0a98b12c217c63afdee534dd3928be857bb34d6716f0
Instruction Fuzzy Hash: 7D210872904254DBDB20FBA4CE84A5E73B8AB04718715093FF542F32D0C6B89C418BDD

Function 004025A3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D6
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E9
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: 0dba00214060772b269aec70c88b8c4dcefe1b236ecbe69e4432b09e807f707b
Instruction ID: 0e7c906900fe31acaf330cad7c7adc7318663c551a7f251ed3955534a0ac5e15
Opcode Fuzzy Hash: 0dba00214060772b269aec70c88b8c4dcefe1b236ecbe69e4432b09e807f707b
Instruction Fuzzy Hash: 3D017171904205ABEB149F949E58AAF7678FF40308F10443EF505B61C0DBB84E41976D

Function 00403376 Relevance: 3.1, APIs: 2, Instructions: 88COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00008001,00000000,00000000,00000000,00000000,?,?,00403322,000000FF,00000000,00000000,00008001,?), ref: 0040339B

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3d500f412808721b8c87be071932eede801725a1d128c96ac4c777ed30e32dcd
Instruction ID: 810e563441ec60ddb2e304251acab09d4dc6a46a8481b8ea59e7f14a092257d1
Opcode Fuzzy Hash: 3d500f412808721b8c87be071932eede801725a1d128c96ac4c777ed30e32dcd
Instruction Fuzzy Hash: E231B170200209BFDB129F59DD44E9A3FA9EB04355F10843AF904EA191D3788E51DBA9

Function 004015C6 Relevance: 3.1, APIs: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405FFC: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,?,00406070,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,7511ED70,?,7511E810,00405DAE,?,7511ED70,7511E810,"C:\Users\user\Desktop\2T10XBqS6g.exe"), ref: 0040600A
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 0040600F
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 00406027

GetFileAttributesW.KERNELBASE(?,?,00000000,?,00000000,?), ref: 0040161F

Part of subcall function 00405BD6: CreateDirectoryW.KERNELBASE(0042C800,?), ref: 00405C18

SetCurrentDirectoryW.KERNELBASE(?,00435000,?,000000E6,00000000,?), ref: 00401652

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: 863e97e9a1a98ee7b9bda4f27f85bc968de3615fba3b8b02605abd041f87ab9d
Instruction ID: 68e4a3e0657f1f56d5d8600c1d99eb964219fead50354605c61944b677c9a350
Opcode Fuzzy Hash: 863e97e9a1a98ee7b9bda4f27f85bc968de3615fba3b8b02605abd041f87ab9d
Instruction Fuzzy Hash: DD11BE31404214ABCF20AFB5CD0099F36B0EF04368B25493FE946B22F1DA3E4A819B5E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A230,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 44422ec4cc38e602ea7d4d2f5f5b5ed5cf3abc39ac7d2c30bec0a520d1a14902
Instruction ID: 4cdfa14fa51073ec67c7732ce5b449902c092ffb61bdcee16cd85da0f6320b18
Opcode Fuzzy Hash: 44422ec4cc38e602ea7d4d2f5f5b5ed5cf3abc39ac7d2c30bec0a520d1a14902
Instruction Fuzzy Hash: 0F01F4327212209BE7295B389D05B6B3698E710354F10863FF855F6AF1DA78CC429B4C

Function 00402439 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040245B
RegCloseKey.ADVAPI32(00000000), ref: 00402464

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: bb53019bc6b0262c1a7ba30a0e76d60d513ae05c0bd0953298f21ea634c4095c
Instruction ID: 5f3bbf62c25f8db8e4007b741f5cecc6338069a28fa7be666feaa9c5da8c1564
Opcode Fuzzy Hash: bb53019bc6b0262c1a7ba30a0e76d60d513ae05c0bd0953298f21ea634c4095c
Instruction Fuzzy Hash: FCF06232A04520ABDB10BBA89A8DAEE62A5AF54314F11443FE542B71C1CAFC4D02976D

Function 00405BD6 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(0042C800,?), ref: 00405C18
GetLastError.KERNEL32 ref: 00405C26

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
Instruction ID: c951f985784cdd1ce4bfd292213bf749a6eab04c72170860fc3503b4537cd402
Opcode Fuzzy Hash: cc352e270a5c7d66bac2c8a7d463e84c1d5eb2dce2c10117675193e318c6cc25
Instruction Fuzzy Hash: 67F0F4B0C04209DAEB00CFA4D9487EFBBB4FB04309F00842AD541B6281DBB882488BA9

Function 00405C65 Relevance: 3.0, APIs: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID:
API String ID: 3712363035-0
Opcode ID: dc4e0aa2a6e4d88c421582106c1d46ba955b2ae98b0244f92ff0ec2e2b298c3d
Instruction ID: 40cf053be3b9956ee682ea3cdb0c0f8171e7446c395677da6238e6dd92eb787c
Opcode Fuzzy Hash: dc4e0aa2a6e4d88c421582106c1d46ba955b2ae98b0244f92ff0ec2e2b298c3d
Instruction Fuzzy Hash: A4E0BFB4600219BFFB109B64EE49F7B7B7CEB00648F418425BD14F2551D77498149A7C

Function 00406A76 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,00403755,?,?,?,?,?,?,?,?,?), ref: 00406A88
GetProcAddress.KERNEL32(00000000,?), ref: 00406AA3

Part of subcall function 00406A06: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 00406A1D
Part of subcall function 00406A06: wsprintfW.USER32 ref: 00406A58
Part of subcall function 00406A06: LoadLibraryExW.KERNEL32(?,00000000,?), ref: 00406A6C

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: ecfc0d1632056c4e1693efd0f98aabdfe4a2c93a6abc515f3d9591ad468ff55d
Instruction ID: b294046d3e4dddd9dd595f306a5883e4a37f4b9faaa0bea25d2c73fe5553ab8f
Opcode Fuzzy Hash: ecfc0d1632056c4e1693efd0f98aabdfe4a2c93a6abc515f3d9591ad468ff55d
Instruction Fuzzy Hash: DFE08636704610AAD610BA709E48C6773A89F86710302C83FF546F6140D738DC32AA79

Function 00406172 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00403118,C:\Users\user\Desktop\2T10XBqS6g.exe,80000000,00000003), ref: 00406176
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406198

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
Instruction ID: be52236ca1bfc2e7009fe271a1dfd41440a2a0d1ebc26b2cb4c8630358080456
Opcode Fuzzy Hash: d28f21770be58fa8ab322e44db2ef64be76ab1399ecbb41bfd548adfe90c5e60
Instruction Fuzzy Hash: 30D09E31254301EFFF098F20DE16F2EBAA2EB94B00F11952CB682941E0DA715819DB15

Function 00405C30 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403638,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,?,0000000A,?), ref: 00405C36
GetLastError.KERNEL32(?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00405C44

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
Instruction ID: 9ee767d7bb24d12ef4013e29ffdbd8bf560f6e5ed3fd997729cc5c4a92c9c995
Opcode Fuzzy Hash: 713f00ffaa2578e3ba1d99e04a2fab42aad7341dbc9e3b83e2e07bf738d273a4
Instruction Fuzzy Hash: 4EC08C30208601DAEA040B30DE08F073A50BB00340F214439A082E40A4CA308004CD2D

Function 6E1D2B98 Relevance: 1.6, APIs: 1, Instructions: 143COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 6E1D2C57

Memory Dump Source

Source File: 00000002.00000002.3826398582.000000006E1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E1D0000, based on PE: true

Associated: 00000002.00000002.3826375791.000000006E1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826592395.000000006E1D4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826642284.000000006E1D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e1d0000_2T10XBqS6g.jbxd

Similarity

API ID: EnumWindows
String ID:
API String ID: 1129996299-0
Opcode ID: 78772dca451b024662d2dc4c684515726c360c8ca7ac2e9ea326fac3193bfdb7
Instruction ID: a8f50aaa083b36d9fc9b6bf049f1281ba54950c0902049ff920b9e5a266092c1
Opcode Fuzzy Hash: 78772dca451b024662d2dc4c684515726c360c8ca7ac2e9ea326fac3193bfdb7
Instruction Fuzzy Hash: BD416972505A08DBDB11DFE4D984B9D37ACFB56358F20C826E42487104D778A8C9FB91

Function 00402896 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028B4

Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: be6f6e28811eff9f61e37437ffce11e37693180493ed76b7cb4b0af79cd2cf68
Instruction ID: a9a910f18d9475f192186a99a32baa3f0737176f8f71227260f04108cb8f5765
Opcode Fuzzy Hash: be6f6e28811eff9f61e37437ffce11e37693180493ed76b7cb4b0af79cd2cf68
Instruction Fuzzy Hash: CEE06D71A04108BFDB01ABA5BE499AEB3B9EB44354B20483FF102B00C8CA784D119A2D

Function 004023B7 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004023EE

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction ID: 95154b02373db31601182c66ccc42c3a1d246cd64da090b0d32e859a1de181fa
Opcode Fuzzy Hash: cc309e7f02997b5e016163de44fe3fdddd8bf4d3fe64c06df27e2bc62d43203d
Instruction Fuzzy Hash: 7DE04F31900524BADB5036B15ECDDBE20685FC8318B14063FFA12B61C2D9FC0C43466D

Function 0040651D Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402E5C,00000000,?,?), ref: 00406546

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction ID: eb898ae1b777051f051c4ab58df26dcf4e878c8f9f4a5c47b005eb973d4bb03b
Opcode Fuzzy Hash: b17b4e85cc10dff7c00d1995fa2300a068af545831f113dbcef6cd8b4d780b07
Instruction Fuzzy Hash: 75E0E6B2010109BEEF095F50EC0AD7F371DE708710F11452EF906D4051E6B5E9309A39

Function 00406224 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00008001,00000000,00000000,00000000,00000000,0040DAE4,0040CEF0,0040357E,0040CEF0,0040DAE4,00414EF0,00004000,?,00000000,004033A8,00000004), ref: 00406238

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 6296e445ee025582091cb162a3efd7a4c9b40fecddc6e186669f82422f4bfe72
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 00E08C3221021AABDF10AE548C00EEB3B6CEB013A0F02447AFD16E3050D231E83097A9

Function 004061F5 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00008001,00000000,00000000,00000000,00000000,00414EF0,0040CEF0,004035FA,00008001,00008001,004034FE,00414EF0,00004000,?,00000000,004033A8), ref: 00406209

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: f029eba0d3a9f8ebddca737992f63761e7b4746d0aa70cfc26448402395c61e3
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 5DE08632154119EBCF106E908C00EEB379CEF15350F014876F921E7440D230E8328FA4

Function 6E1D2A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6E1D505C,?,?,6E1D504C), ref: 6E1D2A9D

Memory Dump Source

Source File: 00000002.00000002.3826398582.000000006E1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E1D0000, based on PE: true

Associated: 00000002.00000002.3826375791.000000006E1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826592395.000000006E1D4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826642284.000000006E1D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e1d0000_2T10XBqS6g.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 798e2e82553bf455242ea29c9e25e5667d9866aa7f9eb99972ca086eb6077949
Instruction ID: 68f5105cc74d86334e0f9c82693218970f8b28b65991d244a0fbc7074804dd5a
Opcode Fuzzy Hash: 798e2e82553bf455242ea29c9e25e5667d9866aa7f9eb99972ca086eb6077949
Instruction Fuzzy Hash: EEF0C9B0506B88DECB50CF78844470E3FE0F71B309B54C52AE188D6244E3346488FBA1

Function 004023F9 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 0040242A

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction ID: 816608b18dc0c520cd9a71caba4f9b5dbdb35d60be0fcf423de44464aa3a4457
Opcode Fuzzy Hash: 979b3f2ec0bc23d324c76cc3db4c1f8da93b0e1d0eaca7bbe8bd823efade59bd
Instruction Fuzzy Hash: 95E04F31800229BEDB00EFA0CD09DAD3678AF40304F00093EF510BB0D1E7FC49519749

Function 004064EF Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00421F28,00000000,00000000,?,?,00000000,?,0040657D,?,00421F28,?,?,Call,?,00000000), ref: 00406513

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: 600eba3f25fec8fd2e0e76c9bf818d2d921b30b98e1649e5cb913c6f6c6f8cb9
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 4DD0123600020DBBDF115E90ED01FAB3B5DAB08714F014826FE06A4091D775D530AB59

Function 004035FD Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FB,?), ref: 0040360B

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 00401FA9 Relevance: 1.3, APIs: 1, Instructions: 37COMMON

Download Yara Rule

APIs

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Part of subcall function 00405C65: CreateProcessW.KERNELBASE(00000000,0042C800,00000000,00000000,00000000,04000000,00000000,00000000,00425F50,?,?,?,0042C800,?), ref: 00405C8E
Part of subcall function 00405C65: CloseHandle.KERNEL32(?,?,?,0042C800,?), ref: 00405C9B

CloseHandle.KERNEL32(?,?,?,?,?,?), ref: 00401FF0

Part of subcall function 00406B21: WaitForSingleObject.KERNEL32(?,?), ref: 00406B32
Part of subcall function 00406B21: GetExitCodeProcess.KERNEL32(?,?), ref: 00406B54

Part of subcall function 004065C9: wsprintfW.USER32 ref: 004065D6

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: MessageSend$CloseHandleProcesslstrlen$CodeCreateExitObjectSingleTextWaitWindowlstrcatwsprintf
String ID:
API String ID: 2972824698-0
Opcode ID: 6849614f2a8bfbdd5acfcc5c7dc02bd50f0657ec5184be028ed3315e3fd21a51
Instruction ID: ba3ed7a1875ec382e1b93905bcfefb33a8222a1057eccf936486356e32fab672
Opcode Fuzzy Hash: 6849614f2a8bfbdd5acfcc5c7dc02bd50f0657ec5184be028ed3315e3fd21a51
Instruction Fuzzy Hash: 48F06D32905125EBDB20BBE599C59DE76F59B00318F25413FE102B21E1CB7C4E459A6E

Function 6E1D12BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(?,?,6E1D12DB,?,6E1D137F,00000019,6E1D11CA,-000000A0), ref: 6E1D12C5

Memory Dump Source

Source File: 00000002.00000002.3826398582.000000006E1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E1D0000, based on PE: true

Associated: 00000002.00000002.3826375791.000000006E1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826592395.000000006E1D4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826642284.000000006E1D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e1d0000_2T10XBqS6g.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: c32233480e6ccc48ef195c83b62a3b802c168fd67413a4fd2603bffbb6b7feab
Instruction ID: fb42010aaa6d0fc7b3b9befb63de284a67d9917f86ef978e611e27d7bd03f3ff
Opcode Fuzzy Hash: c32233480e6ccc48ef195c83b62a3b802c168fd67413a4fd2603bffbb6b7feab
Instruction Fuzzy Hash: E2B011B0A02808EFEF00AB28EC0AF3C32A8FB02300F28C000BA00C2080C2208C00EA38

Non-executed Functions

Function 00405846 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 004058A4
GetDlgItem.USER32(?,000003EE), ref: 004058B3
GetClientRect.USER32(?,?), ref: 004058F0
GetSystemMetrics.USER32(00000002), ref: 004058F7
SendMessageW.USER32(?,00001061,00000000,?), ref: 00405918
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 00405929
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 0040593C
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040594A
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040595D
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040597F
ShowWindow.USER32(?,?), ref: 00405993
GetDlgItem.USER32(?,000003EC), ref: 004059B4
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 004059C4
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004059DD
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004059E9
GetDlgItem.USER32(?,000003F8), ref: 004058C2

Part of subcall function 00404636: SendMessageW.USER32(?,?,?,00404461), ref: 00404644

GetDlgItem.USER32(?,000003EC), ref: 00405A06
CreateThread.KERNEL32(00000000,00000000,Function_000057DA,00000000), ref: 00405A14
CloseHandle.KERNEL32(00000000), ref: 00405A1B
ShowWindow.USER32(00000000), ref: 00405A3F
ShowWindow.USER32(?,?), ref: 00405A44
ShowWindow.USER32(?), ref: 00405A8E
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405AC2
CreatePopupMenu.USER32 ref: 00405AD3
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405AE7
GetWindowRect.USER32(?,?), ref: 00405B07
TrackPopupMenu.USER32(00000000,?,?,?,00000000,?,00000000), ref: 00405B20
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B58
OpenClipboard.USER32(00000000), ref: 00405B68
EmptyClipboard.USER32 ref: 00405B6E
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405B7A
GlobalLock.KERNEL32(00000000), ref: 00405B84
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405B98
GlobalUnlock.KERNEL32(00000000), ref: 00405BB8
SetClipboardData.USER32(0000000D,00000000), ref: 00405BC3
CloseClipboard.USER32 ref: 00405BC9

Strings

H/B, xrefs: 00405B34
{, xrefs: 00405AAC

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: H/B${
API String ID: 590372296-332483393
Opcode ID: d18a2026774e62a2c92573f4287a0ca8136519a3f9d5dde66db426fe6a39353e
Instruction ID: 1bfd88ad0a039f30930ce625e3f17186fc56f4394c79b8c388f8475f2b475093
Opcode Fuzzy Hash: d18a2026774e62a2c92573f4287a0ca8136519a3f9d5dde66db426fe6a39353e
Instruction Fuzzy Hash: A7B127B1900608FFDB21AF60DD85DAE7B79FB44354F00413AFA41A61A0CB795E52DF68

Function 00404AF2 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404B41
SetWindowTextW.USER32(00000000,?), ref: 00404B6B
SHBrowseForFolderW.SHELL32(?), ref: 00404C1C
CoTaskMemFree.OLE32(00000000), ref: 00404C27
lstrcmpiW.KERNEL32(Call,00422F48,00000000,?,?), ref: 00404C59
lstrcatW.KERNEL32(?,Call), ref: 00404C65
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404C77

Part of subcall function 00405CC6: GetDlgItemTextW.USER32(?,?,00000400,00404CAE), ref: 00405CD9

Part of subcall function 00406930: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\2T10XBqS6g.exe",7511ED70,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,?,0000000A,?), ref: 00406993
Part of subcall function 00406930: CharNextW.USER32(?,?,?,00000000,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 004069A2
Part of subcall function 00406930: CharNextW.USER32(?,"C:\Users\user\Desktop\2T10XBqS6g.exe",7511ED70,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,?,0000000A,?), ref: 004069A7
Part of subcall function 00406930: CharPrevW.USER32(?,?,7511ED70,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,?,0000000A,?), ref: 004069BA

GetDiskFreeSpaceW.KERNEL32(00420F18,?,?,0000040F,?,00420F18,00420F18,?,?,00420F18,?,?,000003FB,?), ref: 00404D3A
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404D55

Part of subcall function 00404EAE: lstrlenW.KERNEL32(00422F48,00422F48,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,?,000000DF,00000000,00000400,?), ref: 00404F4F
Part of subcall function 00404EAE: wsprintfW.USER32 ref: 00404F58
Part of subcall function 00404EAE: SetDlgItemTextW.USER32(?,00422F48), ref: 00404F6B

Strings

A, xrefs: 00404C15
H/B, xrefs: 00404BEF
Call, xrefs: 00404C53, 00404C58, 00404C63
C:\Users\user\eftermodnendes\ringeagt, xrefs: 00404C42
user32::EnumWindows(i r1 ,i 0), xrefs: 00404B0B

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\eftermodnendes\ringeagt$Call$H/B$user32::EnumWindows(i r1 ,i 0)
API String ID: 2624150263-2126803556
Opcode ID: 4cf00c73115f53cf57be461a99467e832b164710fce0f00c931b90381e9749c6
Instruction ID: 96009b05525636a0bc85a96efb184481c484ec56fefee2337862baa2afa4bf02
Opcode Fuzzy Hash: 4cf00c73115f53cf57be461a99467e832b164710fce0f00c931b90381e9749c6
Instruction Fuzzy Hash: DDA173B1900209ABDB11AFA5CD45AEFB7B8EF84314F11843BF601B62D1D77C99418B6D

Function 6E1D1BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E1D12BB: GlobalAlloc.KERNELBASE(?,?,6E1D12DB,?,6E1D137F,00000019,6E1D11CA,-000000A0), ref: 6E1D12C5

GlobalAlloc.KERNEL32(?,00001CA4), ref: 6E1D1D2D
lstrcpyW.KERNEL32(00000008,?), ref: 6E1D1D75
lstrcpyW.KERNEL32(00000808,?), ref: 6E1D1D7F
GlobalFree.KERNEL32(00000000), ref: 6E1D1D92
GlobalFree.KERNEL32(?), ref: 6E1D1E74
GlobalFree.KERNEL32(?), ref: 6E1D1E79
GlobalFree.KERNEL32(?), ref: 6E1D1E7E
GlobalFree.KERNEL32(00000000), ref: 6E1D2068
lstrcpyW.KERNEL32(?,?), ref: 6E1D2222
GetModuleHandleW.KERNEL32(00000008), ref: 6E1D22A1
LoadLibraryW.KERNEL32(00000008), ref: 6E1D22B2
GetProcAddress.KERNEL32(?,?), ref: 6E1D230C
lstrlenW.KERNEL32(00000808), ref: 6E1D2326

Memory Dump Source

Source File: 00000002.00000002.3826398582.000000006E1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E1D0000, based on PE: true

Associated: 00000002.00000002.3826375791.000000006E1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826592395.000000006E1D4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826642284.000000006E1D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e1d0000_2T10XBqS6g.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 1b3c566130b20ba0932bd1c2daeb2a719563e130965d0f0e824305bccffce751
Instruction ID: e0fda7bb89b7423a6a8b312ed704260a07493cc7838a8963500428482e5680e6
Opcode Fuzzy Hash: 1b3c566130b20ba0932bd1c2daeb2a719563e130965d0f0e824305bccffce751
Instruction Fuzzy Hash: 4B22CB71E5460ADEDB50CFE9C4842EEB7B4FB19305F21852AD1A5E3280E7709ACDEB50

Function 004021AF Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,?,004084CC,?,?,00000045,000000CD,00000002,000000DF,?), ref: 0040222E

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 5b0014f3340ed2e8e047bae132ec64f51d2c526b3404a8b2a52325da7d94e0b0
Instruction ID: 6031f0b9305bb7b05064ab4f17c9904609ff1c452577966f293784d012f03e0b
Opcode Fuzzy Hash: 5b0014f3340ed2e8e047bae132ec64f51d2c526b3404a8b2a52325da7d94e0b0
Instruction Fuzzy Hash: 4A410475A00209AFCB40DFE4C989EAD7BB5BF48308B20457EF505EB2D1DB799982CB54

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 209a06d9c3b4454fc5c1ff69253149a6aac46e41fe78177cd59690df36c1804c
Instruction ID: f0d7266373870d470beff65cac24d35b4a218527411e0b80208e5fb1e93adf0c
Opcode Fuzzy Hash: 209a06d9c3b4454fc5c1ff69253149a6aac46e41fe78177cd59690df36c1804c
Instruction Fuzzy Hash: 28F08271A04104AED701EBE4ED499AEB378EF14314F60057BE111F31E0D7B84E059B19

Function 0040506E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00405086
GetDlgItem.USER32(?,00000408), ref: 00405091
GlobalAlloc.KERNEL32(?,?), ref: 004050DB
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004050F2
SetWindowLongW.USER32(?,?,0040567B), ref: 0040510B
ImageList_Create.COMCTL32(?,?,00000021,00000006,00000000), ref: 0040511F
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405131
SendMessageW.USER32(?,00001109,00000002), ref: 00405147
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405153
SendMessageW.USER32(?,0000111B,?,00000000), ref: 00405165
DeleteObject.GDI32(00000000), ref: 00405168
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405193
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040519F
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040523A
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040526A

Part of subcall function 00404636: SendMessageW.USER32(?,?,?,00404461), ref: 00404644

SendMessageW.USER32(?,00001132,00000000,?), ref: 0040527E
GetWindowLongW.USER32(?,?), ref: 004052AC
SetWindowLongW.USER32(?,?,00000000), ref: 004052BA
ShowWindow.USER32(?,00000005), ref: 004052CA
SendMessageW.USER32(?,00000419,00000000,?), ref: 004053C5
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 0040542A
SendMessageW.USER32(?,?,00000000,00000000), ref: 0040543F
SendMessageW.USER32(?,00000420,00000000,?), ref: 00405463
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405483
ImageList_Destroy.COMCTL32(?), ref: 00405498
GlobalFree.KERNEL32(?), ref: 004054A8
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00405521
SendMessageW.USER32(?,00001102,?,?), ref: 004055CA
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004055D9
InvalidateRect.USER32(?,00000000,?), ref: 00405604
ShowWindow.USER32(?,00000000), ref: 00405652
GetDlgItem.USER32(?,000003FE), ref: 0040565D
ShowWindow.USER32(00000000), ref: 00405664

Strings

M, xrefs: 00405222
N, xrefs: 00405303
, xrefs: 0040563C

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 324c1f4819b082b1ac23898fd696f3744d7b458a05ce4ad4b76fe224fda76cd4
Instruction ID: 3eec0fee992af157883e3c32035e614d90e83c27d9cb298499668aae57dc4bf7
Opcode Fuzzy Hash: 324c1f4819b082b1ac23898fd696f3744d7b458a05ce4ad4b76fe224fda76cd4
Instruction Fuzzy Hash: B4029D70A00608EFDB20DF64CD45AAF7BB5FB44314F10857AE910BA2E0D7B98A42DF18

Function 00404102 Relevance: 61.6, APIs: 34, Strings: 1, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 0040413E
ShowWindow.USER32(?), ref: 0040415E
GetWindowLongW.USER32(?,?), ref: 00404170
ShowWindow.USER32(?,?), ref: 00404189
DestroyWindow.USER32 ref: 0040419D
SetWindowLongW.USER32(?,00000000,00000000), ref: 004041B6
GetDlgItem.USER32(?,?), ref: 004041D5
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004041E9
IsWindowEnabled.USER32(00000000), ref: 004041F0
GetDlgItem.USER32(?,?), ref: 0040429B
GetDlgItem.USER32(?,00000002), ref: 004042A5
SetClassLongW.USER32(?,000000F2,?), ref: 004042BF
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00404310
GetDlgItem.USER32(?,00000003), ref: 004043B6
ShowWindow.USER32(00000000,?), ref: 004043D7
EnableWindow.USER32(?,?), ref: 004043E9
EnableWindow.USER32(?,?), ref: 00404404
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 0040441A
EnableMenuItem.USER32(00000000), ref: 00404421
SendMessageW.USER32(?,?,00000000,?), ref: 00404439
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040444C
lstrlenW.KERNEL32(00422F48,?,00422F48,00000000), ref: 00404476
SetWindowTextW.USER32(?,00422F48), ref: 0040448A
ShowWindow.USER32(?,0000000A), ref: 004045BE

Strings

H/B, xrefs: 00404466

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID: H/B
API String ID: 1860320154-184950203
Opcode ID: 6713c34f0db6ca24ad0fd02f4a6c26255f157c0ea2add66a7142b4456e47287b
Instruction ID: f8b0abefa6079376cca3afd4ac47b8e6787ccd0873a3a79b8952b84eeba681b3
Opcode Fuzzy Hash: 6713c34f0db6ca24ad0fd02f4a6c26255f157c0ea2add66a7142b4456e47287b
Instruction Fuzzy Hash: 91C1CFB1600204BBDB316F61EE85A2B7AB8EB85345F41053EF741B25F0CB795842DB2D

Function 004047C0 Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 0040485E
GetDlgItem.USER32(?,000003E8), ref: 00404872
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 0040488F
GetSysColor.USER32(?), ref: 004048A0
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004048AE
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004048BC
lstrlenW.KERNEL32(?), ref: 004048C1
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004048CE
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004048E3
GetDlgItem.USER32(?,0000040A), ref: 0040493C
SendMessageW.USER32(00000000), ref: 00404943
GetDlgItem.USER32(?,000003E8), ref: 0040496E
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004049B1
LoadCursorW.USER32(00000000,00007F02), ref: 004049BF
SetCursor.USER32(00000000), ref: 004049C2
LoadCursorW.USER32(00000000,00007F00), ref: 004049DB
SetCursor.USER32(00000000), ref: 004049DE
SendMessageW.USER32(00000111,?,00000000), ref: 00404A0D
SendMessageW.USER32(?,00000000,00000000), ref: 00404A1F

Strings

N, xrefs: 0040495C
Call, xrefs: 0040499D
7G@, xrefs: 004049CA

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: 7G@$Call$N
API String ID: 3103080414-3155595626
Opcode ID: b6dc2905c6216746abb3c0cd17d9c39e8b2e61a9098f8b336cb1d1698ee7a258
Instruction ID: cd0ff63a31a53d86839c1a5ce07a34679cc09665db384d3569e6db54912acae5
Opcode Fuzzy Hash: b6dc2905c6216746abb3c0cd17d9c39e8b2e61a9098f8b336cb1d1698ee7a258
Instruction Fuzzy Hash: 9061B0B1A40209BFDB10AF64CD85EAA7B69FB84305F00843AF605B72D0D779AD51CF98

Function 004062C8 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,?,?,00406463,?,?), ref: 00406303
GetShortPathNameW.KERNEL32(?,004265E8,00000400), ref: 0040630C

Part of subcall function 004060D7: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E7
Part of subcall function 004060D7: lstrlenA.KERNEL32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406119

GetShortPathNameW.KERNEL32(?,00426DE8,00000400), ref: 00406329
wsprintfA.USER32 ref: 00406347
GetFileSize.KERNEL32(00000000,00000000,00426DE8,C0000000,?,00426DE8,?,?,?,?,?), ref: 00406382
GlobalAlloc.KERNEL32(?,0000000A,?,?,?,?), ref: 00406391
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004063C9
SetFilePointer.KERNEL32(0040A5B0,00000000,00000000,00000000,00000000,004261E8,00000000,-0000000A,0040A5B0,00000000,[Rename],00000000,00000000,00000000), ref: 0040641F
GlobalFree.KERNEL32(00000000), ref: 00406430
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00406437

Part of subcall function 00406172: GetFileAttributesW.KERNELBASE(00000003,00403118,C:\Users\user\Desktop\2T10XBqS6g.exe,80000000,00000003), ref: 00406176
Part of subcall function 00406172: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406198

Strings

mB, xrefs: 0040631E
[Rename], xrefs: 004063B1, 004063C3
mB, xrefs: 00406325
eB, xrefs: 004062F1
%ls=%ls, xrefs: 0040633D

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$eB$mB$mB
API String ID: 2171350718-2529913679
Opcode ID: db523023045b127196975f0173c88122861a3a00dd6e7a8812d5311d7169504c
Instruction ID: 393dc7f902851ea198dcc63c4c4a9d42cf85fc1b4335f85fcc59b0ede2066cac
Opcode Fuzzy Hash: db523023045b127196975f0173c88122861a3a00dd6e7a8812d5311d7169504c
Instruction Fuzzy Hash: 35313571600325BBD2206B29AD49F6B3A6CDF41744F17003AF902F62D3DA7CD82686BC

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428A60,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 9a1d1952d02a6587733a796de720c08d05f060e36ce2c67ddab1b612aed24319
Instruction ID: 3c33d73dbc2ffdf14e434cca4ae815e9cfbd561affca8d3971a90777bf4c3be5
Opcode Fuzzy Hash: 9a1d1952d02a6587733a796de720c08d05f060e36ce2c67ddab1b612aed24319
Instruction Fuzzy Hash: 34418B71800249AFCF058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB34DA55DFA4

Function 00406930 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\2T10XBqS6g.exe",7511ED70,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,?,0000000A,?), ref: 00406993
CharNextW.USER32(?,?,?,00000000,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 004069A2
CharNextW.USER32(?,"C:\Users\user\Desktop\2T10XBqS6g.exe",7511ED70,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,?,0000000A,?), ref: 004069A7
CharPrevW.USER32(?,?,7511ED70,C:\Users\user\AppData\Local\Temp\,00000000,00403620,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,?,0000000A,?), ref: 004069BA

Strings

*?|<>/":, xrefs: 00406982
"C:\Users\user\Desktop\2T10XBqS6g.exe", xrefs: 00406974
C:\Users\user\AppData\Local\Temp\, xrefs: 00406931

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\2T10XBqS6g.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-481421272
Opcode ID: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
Instruction ID: f71de53da442769783aaa0cb2fea73a85be5ebad64e4744dd58b15c84f46a956
Opcode Fuzzy Hash: 7c4491ab095b24fecdd0000f8ec6f0e383ca7ce11269c465865605e120ff5cd6
Instruction Fuzzy Hash: 2211C8A580021295DB303B548D40B7766F8AF59790F56403FED96B3AC1E77C4C9282BD

Function 00404668 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404685
GetSysColor.USER32(00000000), ref: 004046C3
SetTextColor.GDI32(?,00000000), ref: 004046CF
SetBkMode.GDI32(?,?), ref: 004046DB
GetSysColor.USER32(?), ref: 004046EE
SetBkColor.GDI32(?,?), ref: 004046FE
DeleteObject.GDI32(?), ref: 00404718
CreateBrushIndirect.GDI32(?), ref: 00404722

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: a82f55cf926b6e885627a74f3bab1bdd796941bf972b84b6a5e459a8b365bc4c
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 5C2177715007449BC7309F78DD48B577BF4AF42715B04893DEA96A36E0D738E944CB58

Function 00405707 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 478899543bd82950d8a4d30903f75c7e93d106f960787587e0f6081d0d83e678
Instruction ID: 0122bdc4cc194b68d617bf21deccaf32741d68d09ea49b6ef8aede989cb0ca1f
Opcode Fuzzy Hash: 478899543bd82950d8a4d30903f75c7e93d106f960787587e0f6081d0d83e678
Instruction Fuzzy Hash: F9219D71900618FACF119FA5DD84ACFBFB9EF45364F10843AF904B62A0C7794A419FA8

Function 00403033 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 0040304E
GetTickCount.KERNEL32 ref: 0040306C
wsprintfW.USER32 ref: 0040309A

Part of subcall function 00405707: lstrlenW.KERNEL32(00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000,?), ref: 0040573F
Part of subcall function 00405707: lstrlenW.KERNEL32(004030AD,00421F28,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,004030AD,00000000), ref: 0040574F
Part of subcall function 00405707: lstrcatW.KERNEL32(00421F28,004030AD,004030AD,00421F28,00000000,00000000,00000000), ref: 00405762
Part of subcall function 00405707: SetWindowTextW.USER32(00421F28,00421F28), ref: 00405774
Part of subcall function 00405707: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040579A
Part of subcall function 00405707: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 004057B4
Part of subcall function 00405707: SendMessageW.USER32(?,00001013,?,00000000), ref: 004057C2

CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 004030BE
ShowWindow.USER32(00000000,00000005), ref: 004030CC

Part of subcall function 00403017: MulDiv.KERNEL32(00000000,?,00000BF4), ref: 0040302C

Strings

... %d%%, xrefs: 00403094

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 08ac34a4e5fc7f4836fd10a2a84a83e51d98fc20e7055cc4174bcdc419dd85dd
Instruction ID: 5115fc65002d889466af77c95cd87ea57bd417394e766d10746fa218fe5c3c06
Opcode Fuzzy Hash: 08ac34a4e5fc7f4836fd10a2a84a83e51d98fc20e7055cc4174bcdc419dd85dd
Instruction Fuzzy Hash: CA01C830642610E7CB31AF50AE09A6B3FACAB04706F64043BF441B11D9D6B85A51CF9D

Function 00404FBC Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404FD7
GetMessagePos.USER32 ref: 00404FDF
ScreenToClient.USER32(?,?), ref: 00404FF9
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040500B
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405031

Strings

f, xrefs: 0040500D

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: f32abc49a7be06d84d864a503b70a66925f192d82b82ee1d40ead4c3c6165fb8
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: 79015E31900218BADB00DBA4DD85BFFBBBCEF55711F10412BBA51B61D0D7B4AA058BA5

Function 00402F98 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402FB6
wsprintfW.USER32 ref: 00402FEA
SetWindowTextW.USER32(?,?), ref: 00402FFA
SetDlgItemTextW.USER32(?,00000406,?), ref: 0040300C

Strings

unpacking data: %d%%, xrefs: 00402FD8, 00402FE8
verifying installer: %d%%, xrefs: 00402FDF

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 66e00694bf9c2fcf5817c91216ca696d61ea9415c1ed8b1f40767934bfa15992
Instruction ID: 34bde3d48a8f942e304b41271f5ed33cd318c4bcfffe3c394610842cbdf8d478
Opcode Fuzzy Hash: 66e00694bf9c2fcf5817c91216ca696d61ea9415c1ed8b1f40767934bfa15992
Instruction Fuzzy Hash: 10F0317054020CABEF249F60DD4ABEE3B68EB40349F00C03AF606B51D0DBB99A55DB99

Function 6E1D2655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6E1D12BB: GlobalAlloc.KERNELBASE(?,?,6E1D12DB,?,6E1D137F,00000019,6E1D11CA,-000000A0), ref: 6E1D12C5

GlobalFree.KERNEL32(?), ref: 6E1D2743
GlobalFree.KERNEL32(00000000), ref: 6E1D2778

Memory Dump Source

Source File: 00000002.00000002.3826398582.000000006E1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E1D0000, based on PE: true

Associated: 00000002.00000002.3826375791.000000006E1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826592395.000000006E1D4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826642284.000000006E1D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e1d0000_2T10XBqS6g.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: fdb2bfff1ebe68adc93e3d3401f7974a860861aeb8fb721619b85f648f33221c
Instruction ID: 6f9dc87da371bc65f0b28f6db159862b8a8e210e3e325c3828b0ddd52427a868
Opcode Fuzzy Hash: fdb2bfff1ebe68adc93e3d3401f7974a860861aeb8fb721619b85f648f33221c
Instruction Fuzzy Hash: C531CD71609505EFCB258FA4C8C4CAE77BAFFA73253258528F12093260C7356C8AFB61

Function 00402983 Relevance: 9.1, APIs: 6, Instructions: 77memoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00406172: GetFileAttributesW.KERNELBASE(00000003,00403118,C:\Users\user\Desktop\2T10XBqS6g.exe,80000000,00000003), ref: 00406176
Part of subcall function 00406172: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00406198

GlobalAlloc.KERNEL32(?,?), ref: 004029B6

Part of subcall function 004035FD: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004032FB,?), ref: 0040360B

GlobalAlloc.KERNEL32(?,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E

Part of subcall function 00403376: SetFilePointer.KERNELBASE(00008001,00000000,00000000,00000000,00000000,?,?,00403322,000000FF,00000000,00000000,00008001,?), ref: 0040339B

CloseHandle.KERNEL32(?,?,?), ref: 00402A3A
DeleteFileW.KERNEL32(?), ref: 00402A4D

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: File$Global$AllocFreePointer$AttributesCloseCreateDeleteHandle
String ID:
API String ID: 488507980-0
Opcode ID: 204759c9182e0998936d503b734cd0b716213fd5fb3e3302ef3dc1645524a30e
Instruction ID: ba218adf5694e25fd77313e1ccbbfbab35a2a379656f90145ff8969d650460ca
Opcode Fuzzy Hash: 204759c9182e0998936d503b734cd0b716213fd5fb3e3302ef3dc1645524a30e
Instruction Fuzzy Hash: 8E218B71D00118BFCF21AFA4DD8989EBFB9EF08360B14422AF555762E1CB7949419F68

Function 00404EAE Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422F48,00422F48,?,%u.%u%s%s,00000005,00000000,00000000,?,?,00000000,?,000000DF,00000000,00000400,?), ref: 00404F4F
wsprintfW.USER32 ref: 00404F58
SetDlgItemTextW.USER32(?,00422F48), ref: 00404F6B

Strings

H/B, xrefs: 00404F41
%u.%u%s%s, xrefs: 00404F39

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$H/B
API String ID: 3540041739-2222257793
Opcode ID: 701484786e9e788ccce1f8e608fe17be4446b7c9895a13b6126df495f4584910
Instruction ID: 614c6b03a1206c52a907a8f7c7d2435543e043070c0789599254521b237785a9
Opcode Fuzzy Hash: 701484786e9e788ccce1f8e608fe17be4446b7c9895a13b6126df495f4584910
Instruction Fuzzy Hash: D911D5336041287BDB00666D9C45E9E329CEB85374F254637FA25F31D1EA79C82282E8

Function 6E1D1979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6E1D19DA
GlobalFree.KERNEL32(?), ref: 6E1D1B7A
GlobalFree.KERNEL32(?), ref: 6E1D1B7F

Memory Dump Source

Source File: 00000002.00000002.3826398582.000000006E1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E1D0000, based on PE: true

Associated: 00000002.00000002.3826375791.000000006E1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826592395.000000006E1D4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826642284.000000006E1D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e1d0000_2T10XBqS6g.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 119a59ee9327e839e1cafa7175e54335442891d1960f7d47bc56bc2147461032
Instruction ID: 12f371af529f0160d24847f281e6d2dc292464685d6038dfad38488f2fff1142
Opcode Fuzzy Hash: 119a59ee9327e839e1cafa7175e54335442891d1960f7d47bc56bc2147461032
Instruction Fuzzy Hash: 7A51CF32F04119AEAB409FE9C4805EEBBB9FB51314F21855AD400A3250E771BECDB791

Function 6E1D2480 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6E1D25C2

Part of subcall function 6E1D12CC: lstrcpynW.KERNEL32(00000000,?,6E1D137F,00000019,6E1D11CA,-000000A0), ref: 6E1D12DC

GlobalAlloc.KERNEL32(?), ref: 6E1D2548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6E1D2563

Memory Dump Source

Source File: 00000002.00000002.3826398582.000000006E1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E1D0000, based on PE: true

Associated: 00000002.00000002.3826375791.000000006E1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826592395.000000006E1D4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826642284.000000006E1D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e1d0000_2T10XBqS6g.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 7539d69d198f18df0a9538c2778104035ca091fe6e51c658572a25a712329453
Instruction ID: a4cbcee8fdbff320843154b10faa48a3e0f320fa3e4299e71075d49d40dfa1c7
Opcode Fuzzy Hash: 7539d69d198f18df0a9538c2778104035ca091fe6e51c658572a25a712329453
Instruction Fuzzy Hash: 2041BFB1108709EFD714DFA9D854EAA77B8FB95310F10891DE86587180EB30A9CDFB61

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5409701174cc037821a308746f1ef467676f72fb6d339cbf159e8a6e8e9d4097
Instruction ID: 305ae2269dae07fc62aa10ca295236b4d3f8ba7b944ef9ab65218e6e9e6ea469
Opcode Fuzzy Hash: 5409701174cc037821a308746f1ef467676f72fb6d339cbf159e8a6e8e9d4097
Instruction Fuzzy Hash: FE210772A04119AFCB15DF98DE45AEEBBB5EF08304F14003AF945F62A0D7789D81DB98

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDF8), ref: 00401ED8

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 0c77369168bd7cf80ce1876f53bc619ac932c7fdeb75926795b65e903bb74869
Instruction ID: 3094fbe596e336cf4bf26b394f16fb1ed862d687e7810168c788cd964747d1d2
Opcode Fuzzy Hash: 0c77369168bd7cf80ce1876f53bc619ac932c7fdeb75926795b65e903bb74869
Instruction Fuzzy Hash: 74018871904240EFE7005BB4EE99BDD3FB4AF15301F20997AF581B62E2C6B904859BED

Function 6E1D16BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6E1D22D8,?,00000808), ref: 6E1D16D5
GlobalAlloc.KERNEL32(?,00000000,?,00000000,6E1D22D8,?,00000808), ref: 6E1D16DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6E1D22D8,?,00000808), ref: 6E1D16F0
GetProcAddress.KERNEL32(6E1D22D8,00000000), ref: 6E1D16F7
GlobalFree.KERNEL32(00000000), ref: 6E1D1700

Memory Dump Source

Source File: 00000002.00000002.3826398582.000000006E1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E1D0000, based on PE: true

Associated: 00000002.00000002.3826375791.000000006E1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826592395.000000006E1D4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826642284.000000006E1D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e1d0000_2T10XBqS6g.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 1d45bffa38631a3973016abc1b11ba1a524ccebc164c9fd93f873c8df8d92503
Instruction ID: 0d62076a2ed19fe83febf00fa3e1d69dec6eb811f9d920de7ef0a8777f7aa650
Opcode Fuzzy Hash: 1d45bffa38631a3973016abc1b11ba1a524ccebc164c9fd93f873c8df8d92503
Instruction Fuzzy Hash: 07F0AC722075387BDA2117A69C4CDEBBE9CEF8B2F5B114315F628E219086615D02E7F1

Function 00405FFC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,?,00406070,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,7511ED70,?,7511E810,00405DAE,?,7511ED70,7511E810,"C:\Users\user\Desktop\2T10XBqS6g.exe"), ref: 0040600A
CharNextW.USER32(00000000), ref: 0040600F
CharNextW.USER32(00000000), ref: 00406027

Strings

C:\Users\user\AppData\Local\Temp\nsnB301.tmp, xrefs: 00405FFD

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsnB301.tmp
API String ID: 3213498283-1217847721
Opcode ID: fbda1c126528e77f8eb1d19cbf263a4f79599cb979c26f3e0093e3aefe43dd94
Instruction ID: 6b36e5aaf6ec4384ffc5acae3f619c12edb839be27b3f0f06f1fa7befb24a934
Opcode Fuzzy Hash: fbda1c126528e77f8eb1d19cbf263a4f79599cb979c26f3e0093e3aefe43dd94
Instruction Fuzzy Hash: 00F0963198061595DE31F6584C45A7767BCDF55394B02807BE602B71C1D7B888E186DA

Function 00405F51 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403632,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,?,0000000A,?), ref: 00405F57
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403632,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040392F,?,?,0000000A,?), ref: 00405F61
lstrcatW.KERNEL32(?,0040A014,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00405F73

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405F51

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-1890098029
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: a99b79add3f29df6de165ac7772d062030ca4d7d7db28986cd5f5f8a2b4e36b3
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: C9D0A731101934AAC211AF548D04CDF639C9F463443414C3BF501B30A1CB7D6D6287FD

Function 6E1D10E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(?,?), ref: 6E1D1171
GlobalAlloc.KERNEL32(?,?), ref: 6E1D11E3
GlobalFree.KERNEL32 ref: 6E1D124A
GlobalFree.KERNEL32(?), ref: 6E1D129B
GlobalFree.KERNEL32(00000000), ref: 6E1D12B1

Memory Dump Source

Source File: 00000002.00000002.3826398582.000000006E1D1000.00000020.00000001.01000000.00000005.sdmp, Offset: 6E1D0000, based on PE: true

Associated: 00000002.00000002.3826375791.000000006E1D0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826592395.000000006E1D4000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000002.00000002.3826642284.000000006E1D6000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_6e1d0000_2T10XBqS6g.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 65f76f51b0a8ace2470cb1dbd6083eab609be345bc85326d3d0e5fee38bf4824
Instruction ID: 5db536c3556a75137331888077d3eab83192dab5af99865c0ff2c7567d1f699b
Opcode Fuzzy Hash: 65f76f51b0a8ace2470cb1dbd6083eab609be345bc85326d3d0e5fee38bf4824
Instruction Fuzzy Hash: 2E51B2B560160ADFDB00CFE8C844A5A7BF8FB16715B208519F904DB210E775ED8DEB50

Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsnB301.tmp\System.dll), ref: 0040269A

Strings

C:\Users\user\AppData\Local\Temp\nsnB301.tmp\System.dll, xrefs: 0040265E, 00402683, 00402695, 004026E1
C:\Users\user\AppData\Local\Temp\nsnB301.tmp, xrefs: 00402688

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsnB301.tmp$C:\Users\user\AppData\Local\Temp\nsnB301.tmp\System.dll
API String ID: 1659193697-816252712
Opcode ID: 0bc0856152eb1df416620cc5b8216ee98a437742c409cafcdd725fde6fb42ba2
Instruction ID: 3f04c1712215209208acb7642429b7129ba4cba87377fac841ce35f74c6015ca
Opcode Fuzzy Hash: 0bc0856152eb1df416620cc5b8216ee98a437742c409cafcdd725fde6fb42ba2
Instruction Fuzzy Hash: DF110A72A40205BBCB00BBB19E4AA9F76A19F50748F21483FF502F61C1DAFD89D1665E

Function 00403C62 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(0000031C,C:\Users\user\AppData\Local\Temp\,00403B95,?,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403C74
CloseHandle.KERNEL32(00000320,C:\Users\user\AppData\Local\Temp\,00403B95,?,?,?,0000000A,?,?,?,?,?,?,?,?,?), ref: 00403C88

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403C67
C:\Users\user\AppData\Local\Temp\nsnB301.tmp, xrefs: 00403C98

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\nsnB301.tmp
API String ID: 2962429428-2095310778
Opcode ID: aee73ed6a062803200b229e34675cefdb9ab84dda1d90898f0442dcc956d8ee4
Instruction ID: 8c071fc62b7e332c461b44292a81ac7d95f2e272703a36c0b89becc6b1ca42eb
Opcode Fuzzy Hash: aee73ed6a062803200b229e34675cefdb9ab84dda1d90898f0442dcc956d8ee4
Instruction Fuzzy Hash: C9E04F3140471896D5246F78AE4E9853A185F41335B248326F078F21F0C738995A5AA9

Function 00406059 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406682: lstrcpynW.KERNEL32(?,?,00000400,004037B7,00428A60,NSIS Error,?,?,0000000A,?), ref: 0040668F

Part of subcall function 00405FFC: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,?,00406070,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,7511ED70,?,7511E810,00405DAE,?,7511ED70,7511E810,"C:\Users\user\Desktop\2T10XBqS6g.exe"), ref: 0040600A
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 0040600F
Part of subcall function 00405FFC: CharNextW.USER32(00000000), ref: 00406027

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsnB301.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,7511ED70,?,7511E810,00405DAE,?,7511ED70,7511E810,"C:\Users\user\Desktop\2T10XBqS6g.exe"), ref: 004060B2
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsnB301.tmp,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,C:\Users\user\AppData\Local\Temp\nsnB301.tmp,7511ED70,?,7511E810,00405DAE,?,7511ED70,7511E810), ref: 004060C2

Strings

C:\Users\user\AppData\Local\Temp\nsnB301.tmp, xrefs: 0040605F, 00406064, 0040606A, 004060AB, 004060B1, 004060B9, 004060C1

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsnB301.tmp
API String ID: 3248276644-1217847721
Opcode ID: 8ac32a27a18f4c2dd493eafaed9bce6c13b36ca5a95e32c2f60d88480e43d1b4
Instruction ID: c6e62d849c1808a59ce2984a64bb42424f7e4e7bb9f9a1371c2689eace45329e
Opcode Fuzzy Hash: 8ac32a27a18f4c2dd493eafaed9bce6c13b36ca5a95e32c2f60d88480e43d1b4
Instruction Fuzzy Hash: 17F04426144E6219D632723A0C05EAF26148F82354B57463FF853B22D1DF3C8D62C17E

Function 0040567B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 004056AA
CallWindowProcW.USER32(?,?,?,?), ref: 004056FB

Part of subcall function 0040464D: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040465F

Strings

, xrefs: 0040568B

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 566dc257d6ecfccfd9b8870a3abbf6eef49955a94d49fdbfe0e36d929d226f84
Instruction ID: 56d6425d582badedfe6e85af8287ead15e3733fa9de593adb61ce7d3cc062d63
Opcode Fuzzy Hash: 566dc257d6ecfccfd9b8870a3abbf6eef49955a94d49fdbfe0e36d929d226f84
Instruction Fuzzy Hash: 1601B131101608ABDF205F41DE80AAF3A39EB84754F90483BF509761D0D77B8C929E6D

Function 00406550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00000000,00000000,00421F28,?,00000800,00000000,?,00421F28,?,?,Call,?,00000000,004067C1,80000002), ref: 00406596
RegCloseKey.ADVAPI32(?), ref: 004065A1

Strings

Call, xrefs: 00406557

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 45cc12acc3a9c215c07d598151d8e3fd579320fa7e8caec45c805d12e0fab9e6
Instruction ID: 225dfe442f4fc2e839130f584d2f70a73ee2f61c7405cac2e0d59c7fe544a8ff
Opcode Fuzzy Hash: 45cc12acc3a9c215c07d598151d8e3fd579320fa7e8caec45c805d12e0fab9e6
Instruction Fuzzy Hash: 39017172510209FEDF218F55DD05EDB3BE8EB54364F014035FD1592190E738D968DBA4

Function 004060D7 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060E7
lstrcmpiA.KERNEL32(00000000,00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 004060FF
CharNextA.USER32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406110
lstrlenA.KERNEL32(00000000,?,00000000,004063BC,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406119

Memory Dump Source

Source File: 00000002.00000002.3821744301.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000002.00000002.3821652236.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821857062.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.000000000042A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3821951740.0000000000436000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000044A000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000002.00000002.3823644746.000000000045A000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_2T10XBqS6g.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
Instruction ID: 41d5ee4ea83cc4d308be6584820b02a87ee89e19241337121ce36a8d52a16fb8
Opcode Fuzzy Hash: 95544cd0fbc1c68b6442233ab1bb13ea59abf9e1bd9498eecabbd7b85e38d71d
Instruction Fuzzy Hash: 9DF06235504418EFC702DBA9DD00D9EBFA8EF46350B2640B9E841FB211DA74DE11AB99

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Driver: Driver Load, File: File Creation, File: File Modification, Module: Module Load
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 2T10XBqS6g.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Setup.ini

C:\Users\user\AppData\Local\Temp\nsnB264.tmp

C:\Users\user\AppData\Local\Temp\nsnB301.tmp\System.dll

C:\Users\user\eftermodnendes\ringeagt\Daystars216.tre

C:\Users\user\eftermodnendes\ringeagt\Skvinge18.alt

C:\Users\user\eftermodnendes\ringeagt\Sufferers.Gyr

C:\Users\user\eftermodnendes\ringeagt\bttefulde.tox

C:\Users\user\eftermodnendes\ringeagt\utidige.Gau

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
2T10XBqS6g.exe

Function 00403645 Relevance: 84.5, APIs: 32, Strings: 16, Instructions: 464
stringfilecomCOMMON

Function 00405D8E Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00406DA0 Relevance: 5.4, APIs: 4, Instructions: 382
COMMON

Function 004069DF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403D54 Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 004030D5 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 204
memoryCOMMON

Function 004066BF Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Function 00401774 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 00406A06 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Function 6E1D1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84
windowtimeCOMMON

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64
registrystringCOMMON

Function 004061A1 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON