Edit tour

Windows Analysis Report
yUgCaQhCIc.exe

Overview

General Information

Sample name:	yUgCaQhCIc.exe renamed because original name is a hash value
Original sample name:	virussign.com_5da47991f8da648663063560b0182040.exe
Analysis ID:	1638022
MD5:	5da47991f8da648663063560b0182040
SHA1:	a23ba563cd76be2e6324733fd93725365e1af593
SHA256:	faa5c705f7a92dbc2bedd76bb8eb4f0f002389d16d1362ebee36eeffcf969a87
Tags:	adwareexeuser-2huMarisa
Infos:

Detection

Score:	60
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

AI detected suspicious PE digital signature

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

PE / OLE file has an invalid certificate

Uses 32bit PE files

Classification

Process Tree

System is w10x64

yUgCaQhCIc.exe (PID: 8024 cmdline: "C:\Users\user\Desktop\yUgCaQhCIc.exe" MD5: 5DA47991F8DA648663063560B0182040)

chrome.exe (PID: 7380 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6880 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2092 /prefetch:3 MD5: E81F54E6C1129887AEA47E7D092680BF)

chrome.exe (PID: 6848 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5044 /prefetch:8 MD5: E81F54E6C1129887AEA47E7D092680BF)

cleanup

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• Networking
• Key, Mouse, Clipboard, Microphone and Screen Capturing
• System Summary
• Data Obfuscation
• Persistence and Installation Behavior
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: yUgCaQhCIc.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: yUgCaQhCIc.exe	Virustotal: Detection: 65%			Perma Link
Source: yUgCaQhCIc.exe	ReversingLabs: Detection: 68%

Source: yUgCaQhCIc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Code function: 0_2_00405D07 FindFirstFileA,FindClose,	0_2_00405D07
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405331
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.203
Source: unknown	TCP traffic detected without corresponding DNS query: 20.189.173.14
Source: unknown	TCP traffic detected without corresponding DNS query: 2.23.227.208
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.27.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 150.171.31.254
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222
Source: unknown	TCP traffic detected without corresponding DNS query: 204.79.197.222

Source: global traffic	DNS traffic detected: DNS query: download.toggle.com
Source: global traffic	DNS traffic detected: DNS query: pf.toggle.com
Source: global traffic	DNS traffic detected: DNS query: google.com
Source: global traffic	DNS traffic detected: DNS query: www.google.com
Source: global traffic	DNS traffic detected: DNS query: beacons.gcp.gvt2.com
Source: global traffic	DNS traffic detected: DNS query: beacons.gvt2.com
Source: global traffic	DNS traffic detected: DNS query: beacons2.gvt2.com
Source: global traffic	DNS traffic detected: DNS query: beacons3.gvt2.com

Source: yUgCaQhCIc.exe	String found in binary or memory: http://a9.com/-/spec/opensearch/1.1/
Source: yUgCaQhCIc.exe	String found in binary or memory: http://crl.thawte.com/ThawtePCA.crl0
Source: yUgCaQhCIc.exe	String found in binary or memory: http://cs-g2-crl.thawte.com/ThawteCSG2.crl0
Source: yUgCaQhCIc.exe	String found in binary or memory: http://download.toggle.com/installers/extra_software/dealply/dealply.exe
Source: yUgCaQhCIc.exe	String found in binary or memory: http://download.toggle.com/installers/nsis/
Source: yUgCaQhCIc.exe	String found in binary or memory: http://download.toggle.com/installers/toolbar/
Source: yUgCaQhCIc.exe	String found in binary or memory: http://en.intsupport.com/index.php?ref=http://www.toggle.com/&step1=form1
Source: yUgCaQhCIc.exe	String found in binary or memory: http://en.intsupport.com/index.php?ref=http://www.toggle.com/&step1=form1255Set
Source: yUgCaQhCIc.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: yUgCaQhCIc.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: yUgCaQhCIc.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: yUgCaQhCIc.exe, 00000000.00000002.1411651279.000000000075E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pf.toggle.com/
Source: yUgCaQhCIc.exe	String found in binary or memory: http://pf.toggle.com/img_en_248567_
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411651279.000000000075E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gif
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gifD
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gifFGIq
Source: yUgCaQhCIc.exe	String found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe
Source: yUgCaQhCIc.exe	String found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621
Source: yUgCaQhCIc.exe	String found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519:.
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519P-
Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519j
Source: yUgCaQhCIc.exe	String found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621save:
Source: yUgCaQhCIc.exe	String found in binary or memory: http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exeDownload
Source: yUgCaQhCIc.exe	String found in binary or memory: http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eula
Source: yUgCaQhCIc.exe	String found in binary or memory: http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eulaField
Source: yUgCaQhCIc.exe	String found in binary or memory: http://www.coupish.com/terms.php
Source: yUgCaQhCIc.exe	String found in binary or memory: http://www.coupish.com/terms.phpof
Source: yUgCaQhCIc.exe, show_page_toolbar.0.dr	String found in binary or memory: http://www.dealply.com/terms/
Source: yUgCaQhCIc.exe	String found in binary or memory: http://www.dealply.com/terms/Field
Source: yUgCaQhCIc.exe, show_page_toolbar.0.dr	String found in binary or memory: http://www.funmoods.com/privacy
Source: yUgCaQhCIc.exe, show_page_toolbar.0.dr	String found in binary or memory: http://www.funmoods.com/terms
Source: yUgCaQhCIc.exe	String found in binary or memory: http://www.funmoods.com/termshttp://www.funmoods.com/privacyBy
Source: yUgCaQhCIc.exe	String found in binary or memory: http://www.mozilla.org/2006/browser/search/

Source: unknown	Network traffic detected: HTTP traffic on port 58593 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58570 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49672 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58606 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58555 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58558 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58506 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58582
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58581
Source: unknown	Network traffic detected: HTTP traffic on port 58561 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58580
Source: unknown	Network traffic detected: HTTP traffic on port 58569 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58517 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58506
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58505
Source: unknown	Network traffic detected: HTTP traffic on port 58552 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58589
Source: unknown	Network traffic detected: HTTP traffic on port 58573 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58504
Source: unknown	Network traffic detected: HTTP traffic on port 58590 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58503
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58596
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58593
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58592
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58595
Source: unknown	Network traffic detected: HTTP traffic on port 58503 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58594
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58591
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58590
Source: unknown	Network traffic detected: HTTP traffic on port 58566 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58576 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58591 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58522
Source: unknown	Network traffic detected: HTTP traffic on port 58504 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58563 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58546 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58582 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49678
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49675
Source: unknown	Network traffic detected: HTTP traffic on port 58596 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58554 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58571 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58526
Source: unknown	Network traffic detected: HTTP traffic on port 58557 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58526 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58560 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58568 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49676 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58522 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58574 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58580 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58565 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58594 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58559 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58546
Source: unknown	Network traffic detected: HTTP traffic on port 58577 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58547
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58553
Source: unknown	Network traffic detected: HTTP traffic on port 58556 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58552
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58555
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58554
Source: unknown	Network traffic detected: HTTP traffic on port 58562 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49678 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58557
Source: unknown	Network traffic detected: HTTP traffic on port 58572 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58553 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58556
Source: unknown	Network traffic detected: HTTP traffic on port 58595 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58559
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58558
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58564
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58563
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58566
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58565
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58560
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58562
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58561
Source: unknown	Network traffic detected: HTTP traffic on port 58567 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58607 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58607
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58606
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58568
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58567
Source: unknown	Network traffic detected: HTTP traffic on port 58592 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58569
Source: unknown	Network traffic detected: HTTP traffic on port 58575 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58575
Source: unknown	Network traffic detected: HTTP traffic on port 58581 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58574
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58577
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58576
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58571
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58570
Source: unknown	Network traffic detected: HTTP traffic on port 58505 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58573
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 58572
Source: unknown	Network traffic detected: HTTP traffic on port 58589 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58547 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 58564 -> 443

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

Code function: 0_2_00404EE8 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404EE8

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

Code function: 0_2_004030FA EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,DeleteFileA,ExitProcess,CoUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_004030FA

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File created: C:\Windows\SystemTemp\scoped_dir7380_1397110669

Jump to behavior

Source: C:\Program Files\Google\Chrome\Application\chrome.exe

File deleted: C:\Windows\SystemTemp\scoped_dir7380_1397110669

Jump to behavior

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Code function: 0_2_00406128	0_2_00406128
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Code function: 0_2_004046F9	0_2_004046F9
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Code function: 0_2_004068FF	0_2_004068FF

Source: yUgCaQhCIc.exe

Static PE information: invalid certificate

Source: yUgCaQhCIc.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal60.winEXE@26/10@57/2

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

Code function: 0_2_004041FC GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004041FC

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

Code function: 0_2_00402020 CoCreateInstance,MultiByteToWideChar,

0_2_00402020

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

File created: C:\Users\user\AppData\Local\Temp\nsr39C1.tmp

Jump to behavior

Source: yUgCaQhCIc.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: yUgCaQhCIc.exe	Virustotal: Detection: 65%
Source: yUgCaQhCIc.exe	ReversingLabs: Detection: 68%

Source: yUgCaQhCIc.exe	String found in binary or memory: http://download.toggle.com/installers/nsis/
Source: yUgCaQhCIc.exe	String found in binary or memory: http://download.toggle.com/installers/toolbar/
Source: yUgCaQhCIc.exe	String found in binary or memory: http://download.toggle.com/installers/toolbar/
Source: yUgCaQhCIc.exe	String found in binary or memory: \Toolbar_Toggle.exehttp://download.toggle.com/installers/toolbar/
Source: yUgCaQhCIc.exe	String found in binary or memory: http://download.toggle.com/installers/extra_software/dealply/dealply.exe
Source: yUgCaQhCIc.exe	String found in binary or memory: http://download.toggle.com/installers/extra_software/dealply/dealply.exe
Source: yUgCaQhCIc.exe	String found in binary or memory: .exehttp://download.toggle.com/installers/extra_software/dealply/dealply.exe comand line fordealply:

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

File read: C:\Users\user\Desktop\yUgCaQhCIc.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\yUgCaQhCIc.exe "C:\Users\user\Desktop\yUgCaQhCIc.exe"
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2092 /prefetch:3
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5044 /prefetch:8
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2092 /prefetch:3	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5044 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5044 /prefetch:8	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: windows.shell.servicehostbuilder.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Section loaded: winnsi.dll	Jump to behavior

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

File written: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\ioSpecial.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405D2E

Persistence and Installation Behavior

AI detected suspicious PE digital signature

Source: Initial sample

Joe Sandbox AI: Detected suspicious elements in PE signature: Multiple critical red flags: 1) Certificate is expired since 2013, over 12 years ago from current date (March 2025). 2) Signature is explicitly marked as invalid with validation errors. 3) Compilation timestamp (Dec 2009) predates the certificate's validity period (Jan 2012), suggesting potential timestamp manipulation. 4) While Thawte is a known CA, 'Inffinity Internet' appears suspicious due to the misspelling of 'Infinity' and lacks corporate legitimacy. 5) The significant time gaps between compilation (2009), certification (2012-2013), and current date (2025) with an invalid signature strongly suggests certificate abuse or forgery. The only slightly mitigating factor is that the country (Spain) is not typically associated with high-risk regions.

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	File created: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	File created: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\UAC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	File created: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\NSISdl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	File created: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\LangDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	File created: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	File created: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\BrandingURL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	File created: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\InstallOptions.dll	Jump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\UAC.dll	Jump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\NSISdl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\LangDLL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\inetc.dll	Jump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\BrandingURL.dll	Jump to dropped file
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\System.dll	Jump to dropped file

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Code function: 0_2_00405D07 FindFirstFileA,FindClose,	0_2_00405D07
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Code function: 0_2_00405331 DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,RemoveDirectoryA,	0_2_00405331
Source: C:\Users\user\Desktop\yUgCaQhCIc.exe	Code function: 0_2_0040263E FindFirstFileA,	0_2_0040263E

Source: yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll741918519
Source: yUgCaQhCIc.exe, 00000000.00000003.1399102984.00000000007D6000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007A4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

API call chain: ExitProcess graph end node

graph_0-3191

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

Code function: 0_2_00405D2E GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00405D2E

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519

Jump to behavior

Source: C:\Users\user\Desktop\yUgCaQhCIc.exe

Code function: 0_2_00405A2E GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405A2E

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	12 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Process Injection	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	3 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 File Deletion	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
yUgCaQhCIc.exe	66%	Virustotal		Browse
yUgCaQhCIc.exe	68%	ReversingLabs	Win32.Adware.Coupish
yUgCaQhCIc.exe	100%	Avira	ADWARE/Adware.Gen4

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\BrandingURL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\InstallOptions.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\LangDLL.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\NSISdl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\UAC.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\inetc.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.dealply.com/terms/Field	0%	Avira URL Cloud	safe
http://www.dealply.com/terms/	0%	Avira URL Cloud	safe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621	0%	Avira URL Cloud	safe
http://download.toggle.com/installers/nsis/	0%	Avira URL Cloud	safe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519:.	0%	Avira URL Cloud	safe
http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gifD	0%	Avira URL Cloud	safe
http://en.intsupport.com/index.php?ref=http://www.toggle.com/&step1=form1	0%	Avira URL Cloud	safe
http://download.toggle.com/installers/toolbar/	0%	Avira URL Cloud	safe
http://pf.toggle.com/	0%	Avira URL Cloud	safe
http://download.toggle.com/installers/extra_software/dealply/dealply.exe	0%	Avira URL Cloud	safe
http://www.funmoods.com/privacy	0%	Avira URL Cloud	safe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe	0%	Avira URL Cloud	safe
http://pf.toggle.com/img_en_248567_	0%	Avira URL Cloud	safe
http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eula	0%	Avira URL Cloud	safe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519	0%	Avira URL Cloud	safe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621save:	0%	Avira URL Cloud	safe
http://www.funmoods.com/terms	0%	Avira URL Cloud	safe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=	0%	Avira URL Cloud	safe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519P-	0%	Avira URL Cloud	safe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519j	0%	Avira URL Cloud	safe
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exeDownload	0%	Avira URL Cloud	safe
http://en.intsupport.com/index.php?ref=http://www.toggle.com/&step1=form1255Set	0%	Avira URL Cloud	safe
http://www.coupish.com/terms.phpof	0%	Avira URL Cloud	safe
http://www.funmoods.com/termshttp://www.funmoods.com/privacyBy	0%	Avira URL Cloud	safe
http://www.coupish.com/terms.php	0%	Avira URL Cloud	safe
http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gif	0%	Avira URL Cloud	safe
http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gifFGIq	0%	Avira URL Cloud	safe
http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eulaField	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
beacons3.gvt2.com	142.250.186.35	true	false	high
google.com	142.250.185.78	true	false	high
beacons-handoff.gcp.gvt2.com	142.251.143.67	true	false	high
www.google.com	216.58.212.164	true	false	high
beacons2.gvt2.com	216.239.32.3	true	false	high
beacons.gvt2.com	142.250.180.99	true	false	high
beacons6.gvt2.com	216.58.206.35	true	false	high
download.toggle.com	unknown	unknown	false	unknown
beacons.gcp.gvt2.com	unknown	unknown	false	high
pf.toggle.com	unknown	unknown	false	high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://pf.toggle.com/	yUgCaQhCIc.exe, 00000000.00000002.1411651279.000000000075E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.dealply.com/terms/Field	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.thawte.com0	yUgCaQhCIc.exe	false		high
http://www.dealply.com/terms/	yUgCaQhCIc.exe, show_page_toolbar.0.dr	false	Avira URL Cloud: safe	unknown
http://download.toggle.com/installers/extra_software/dealply/dealply.exe	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://en.intsupport.com/index.php?ref=http://www.toggle.com/&step1=form1	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://download.toggle.com/installers/toolbar/	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519:.	yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	yUgCaQhCIc.exe	false		high
http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gifD	yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://download.toggle.com/installers/nsis/	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://www.funmoods.com/privacy	yUgCaQhCIc.exe, show_page_toolbar.0.dr	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_Error	yUgCaQhCIc.exe	false		high
http://cs-g2-crl.thawte.com/ThawteCSG2.crl0	yUgCaQhCIc.exe	false		high
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621save:	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519	yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.thawte.com/ThawtePCA.crl0	yUgCaQhCIc.exe	false		high
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519P-	yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://a9.com/-/spec/opensearch/1.1/	yUgCaQhCIc.exe	false		high
http://pf.toggle.com/img_en_248567_	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://www.funmoods.com/terms	yUgCaQhCIc.exe, show_page_toolbar.0.dr	false	Avira URL Cloud: safe	unknown
http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eula	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519j	yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exeDownload	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://www.funmoods.com/termshttp://www.funmoods.com/privacyBy	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://en.intsupport.com/index.php?ref=http://www.toggle.com/&step1=form1255Set	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gif	yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411651279.000000000075E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.coupish.com/terms.php	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://www.coupish.com/terms.phpof	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://www.babylon.com/redirects/redir.cgi?type=babylon_toolbar_eulaField	yUgCaQhCIc.exe	false	Avira URL Cloud: safe	unknown
http://pf.toggle.com/img_en_248567_64_5787_0_us_2012102621.gifFGIq	yUgCaQhCIc.exe, 00000000.00000003.1410998486.00000000007B2000.00000004.00000020.00020000.00000000.sdmp, yUgCaQhCIc.exe, 00000000.00000002.1411783301.00000000007B2000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
216.58.212.164	www.google.com	United States		15169	GOOGLEUS	false

Private

IP
192.168.2.5

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1638022
Start date and time:	2025-03-14 03:14:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 4m 48s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	14
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	yUgCaQhCIc.exe renamed because original name is a hash value
Original Sample Name:	virussign.com_5da47991f8da648663063560b0182040.exe
Detection:	MAL
Classification:	mal60.winEXE@26/10@57/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 37 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 142.250.185.206, 142.250.184.227, 142.250.185.142, 74.125.133.84, 216.58.206.67, 74.125.206.84, 216.58.206.78, 142.250.186.46
Excluded domains from analysis (whitelisted): clients1.google.com, ev2-ring.msedge.net, accounts.google.com, slscr.update.microsoft.com, clientservices.googleapis.com, g.bing.com, fe3cr.delivery.mp.microsoft.com, c2a9c95e369881c67228a6591cac2686.clo.footprintdns.com, ax-ring.msedge.net, clients2.google.com, edgedl.me.gvt1.com, update.googleapis.com, clients.l.google.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
beacons3.gvt2.com	http://marina84.com/food/	Get hash	malicious	Unknown	Browse	142.250.185.163
	http://allstarteventsmiami.com	Get hash	malicious	Unknown	Browse	142.250.186.131
	http://lookerstudio%2e%67%6f%6f%67%6c%65%2e%63%6f%6d/s/tVpHSqKmotA	Get hash	malicious	HTMLPhisher	Browse	172.217.18.3
	http://insprocks.com/Insprock289.exe	Get hash	malicious	Unknown	Browse	142.250.184.195
	https://sites.google.com/view/rfdzxgffg/home	Get hash	malicious	Unknown	Browse	172.217.18.99
	Robert Martin shared _Clarion Security _ with you {Ref _8589}.eml	Get hash	malicious	Invisible JS, Tycoon2FA	Browse	172.217.18.3
	https://simplified.com/designs/cd97e327-288b-43f7-99e7-024626ab4a8c/share?utm_content=cd97e327-288b-43f7-99e7-024626ab4a8c&utm_campaign=share&utm_medium=link&utm_source=projectlinks	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	142.250.181.227
	Inv#8653763981_2sfgPaymentAdvice.svg	Get hash	malicious	HTMLPhisher	Browse	142.250.186.67
	.svg	Get hash	malicious	HTMLPhisher	Browse	172.217.18.3
beacons-handoff.gcp.gvt2.com	Dioxide.exe	Get hash	malicious	Unknown	Browse	142.250.185.195
	http://marina84.com/food/	Get hash	malicious	Unknown	Browse	142.251.143.67
	http://czm11.cavernbeatles.com/rd/4EiHFs5060pdwZ594ueemlltgbq246DXCLIFRFRUUFCZD7792KXRQ15860r19	Get hash	malicious	Unknown	Browse	142.251.143.35
	http://learn-docs-trazure.github.io/	Get hash	malicious	Unknown	Browse	142.250.186.35
	http://s.team-fg.com/p/jjnh-trfg/frmkhpcw/	Get hash	malicious	Unknown	Browse	142.250.180.67
	http://safety-profiles-fb-ads-156388685.vercel.app/	Get hash	malicious	Unknown	Browse	142.250.180.99
	http://help-copyright-issuenow-here.vercel.app/	Get hash	malicious	Unknown	Browse	142.250.180.99
	http://svt-aletaharropact6825.pages.dev/help/contact/200748660570057/	Get hash	malicious	Unknown	Browse	142.251.143.35
	http://whoatscpp.com/	Get hash	malicious	Unknown	Browse	142.250.180.99
	http://get--opportunity-to-be-verified.vercel.app/?fbclid=iwy2xjawi9k6vlehrua2flbqixmqabhugn54ildr55urfs92joaufhbzqvlrtjxjkdczko1udgqyjiqqtdzf10_a_aem_3wblvarwrely9bbom4ncbw	Get hash	malicious	Unknown	Browse	142.251.143.35
google.com	http://marina84.com/food/	Get hash	malicious	Unknown	Browse	142.250.186.100
	https://utopiamanali.com/inc/prof.html?login=skhalil@newyorklife.com	Get hash	malicious	Unknown	Browse	216.58.212.132
	http://czm11.cavernbeatles.com/rd/4EiHFs5060pdwZ594ueemlltgbq246DXCLIFRFRUUFCZD7792KXRQ15860r19	Get hash	malicious	Unknown	Browse	142.250.185.132
	https://ghyeminilogin.webflow.io/	Get hash	malicious	Unknown	Browse	142.250.185.132
	https://tagore56.github.io/netflix	Get hash	malicious	Unknown	Browse	142.250.185.132
	http://learn-docs-trazure.github.io/	Get hash	malicious	Unknown	Browse	142.250.186.132
	https://metamskflowgin.webflow.io/	Get hash	malicious	Unknown	Browse	142.250.186.164
	https://app--secure-blockfi-cdnn.webflow.io/	Get hash	malicious	Unknown	Browse	142.250.181.228
beacons2.gvt2.com	Dioxide.exe	Get hash	malicious	Unknown	Browse	172.217.168.35
	http://marina84.com/food/	Get hash	malicious	Unknown	Browse	172.217.19.163
	http://allstarteventsmiami.com	Get hash	malicious	Unknown	Browse	216.58.209.195
	http://lookerstudio%2e%67%6f%6f%67%6c%65%2e%63%6f%6d/s/tVpHSqKmotA	Get hash	malicious	HTMLPhisher	Browse	172.217.0.163
	https://steanmrcommunity.com/1052917516	Get hash	malicious	Unknown	Browse	142.250.192.3
	https://sites.google.com/view/sysgfdgsfghgfdvvbffdv-hgfdcfb/home	Get hash	malicious	Unknown	Browse	216.239.32.3
	http://app.plangrid.com/projects/bcb97291-5564-5612-9970-d1b139dcb62d/staple/b1fc2804-67d4-470e-9780-d2d4344b3b93	Get hash	malicious	Unknown	Browse	216.239.32.3
	http://insprocks.com/Insprock289.exe	Get hash	malicious	Unknown	Browse	172.253.124.94
	https://t.co/E2W9evnxED	Get hash	malicious	HTMLPhisher	Browse	64.233.168.94
	SecuriteInfo.com.FileRepMalware.26489.28570.exe	Get hash	malicious	Unknown	Browse	216.239.32.3

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\InstallOptions.dll	CANTest_Setup_V2.70.exe	Get hash	malicious	Unknown	Browse
	WinPEU.exe	Get hash	malicious	Unknown	Browse
	WhiteDefenderSetup64_20201118.exe	Get hash	malicious	GuLoader	Browse
	WhiteDefenderSetup64_20201118.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.FileRepMalware.20128.24359.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Malware-gen.27948.29630.exe	Get hash	malicious	Unknown	Browse
	ExeFile (207).exe	Get hash	malicious	Unknown	Browse
	ClientSetup.exe	Get hash	malicious	Unknown	Browse
	ClientSetup.exe	Get hash	malicious	Unknown	Browse
	Unlocker1.9.2.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\BrandingURL.dll	Cursor Commander.exe	Get hash	malicious	Unknown	Browse
	Advanced.Installer-15.9.exe	Get hash	malicious	Unknown	Browse
	29#Uff09.exe	Get hash	malicious	Unknown	Browse
	myDHSBbmiQ30XWiQsvEZBgkKPOQqbPoH.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\BrandingURL.dll

Download File

Process:	C:\Users\user\Desktop\yUgCaQhCIc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	4096
Entropy (8bit):	3.904876158695173
Encrypted:	false
SSDEEP:	48:qnMpjVitCGEuR+BrUtDQbfwz3Aa3MAAZHMAAJb/Jb9W/Boj:zAwDlUSbIz3Aa33AZH3A5BZW/Boj
MD5:	71C46B663BAA92AD941388D082AF97E7
SHA1:	5A9FCCE065366A526D75CC5DED9AADE7CADD6421
SHA-256:	BB2B9C272B8B66BC1B414675C2ACBA7AFAD03FFF66A63BABEE3EE57ED163D19E
SHA-512:	5965BD3F5369B9A1ED641C479F7B8A14AF27700D0C27D482AA8EB62ACC42F7B702B5947D82F9791B29BCBA4D46E1409244F0A8DDCE4EC75022B5E27F6D671BCE
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Cursor Commander.exe, Detection: malicious, Browse Filename: Advanced.Installer-15.9.exe, Detection: malicious, Browse Filename: 29#Uff09.exe, Detection: malicious, Browse Filename: myDHSBbmiQ30XWiQsvEZBgkKPOQqbPoH.exe, Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............x...x...x...x...x...g...x..)g...x..)g...x..Rich.x..........................PE..L...KThF...........!................Q........ ...............................P......................................."..W...p ..d............................@....................................................... ..p............................text............................... ..`.rdata..G.... ......................@..@.data...P....0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\InstallOptions.dll

Download File

Process:	C:\Users\user\Desktop\yUgCaQhCIc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	5.550299117674118
Encrypted:	false
SSDEEP:	192:86d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jwK72dwF7dBEnbok:86UdHXcIiY535zBt2jw+BEnbo
MD5:	325B008AEC81E5AAA57096F05D4212B5
SHA1:	27A2D89747A20305B6518438EFF5B9F57F7DF5C3
SHA-256:	C9CD5C9609E70005926AE5171726A4142FFBCCCC771D307EFCD195DAFC1E6B4B
SHA-512:	18362B3AEE529A27E85CC087627ECF6E2D21196D725F499C4A185CB3A380999F43FF1833A8EBEC3F5BA1D3A113EF83185770E663854121F2D8B885790115AFDF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: CANTest_Setup_V2.70.exe, Detection: malicious, Browse Filename: WinPEU.exe, Detection: malicious, Browse Filename: WhiteDefenderSetup64_20201118.exe, Detection: malicious, Browse Filename: WhiteDefenderSetup64_20201118.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.FileRepMalware.20128.24359.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.27948.29630.exe, Detection: malicious, Browse Filename: ExeFile (207).exe, Detection: malicious, Browse Filename: ClientSetup.exe, Detection: malicious, Browse Filename: ClientSetup.exe, Detection: malicious, Browse Filename: Unlocker1.9.2.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......L.p..q.,.q.,.q.,.q.,@q.,.~C,.q.,\R.,.q.,\R/,.q.,.w.,.q.,.Q.,.q.,Rich.q.,........................PE..L......K...........!.........<.......).......0.......................................................................8..p...81.......p..........................@....................................................0..8............................text...@........................... ..`.rdata.......0....... ..............@..@.data... (...@.......*..............@....rsrc........p.......2..............@..@.reloc...............4..............@..B........................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\LangDLL.dll

Download File

Process:	C:\Users\user\Desktop\yUgCaQhCIc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	5632
Entropy (8bit):	3.951555564830228
Encrypted:	false
SSDEEP:	48:iV6pAvmNC6iMPUptxEZK65x/AmvycNSmwVsOYJyvrpXptp/JvR0Jlof5d2:2811GED5ZTvycNSmwVsTJuftpZR0Sd2
MD5:	9384F4007C492D4FA040924F31C00166
SHA1:	ABA37FAEF30D7C445584C688A0B5638F5DB31C7B
SHA-256:	60A964095AF1BE79F6A99B22212FEFE2D16F5A0AFD7E707D14394E4143E3F4F5
SHA-512:	68F158887E24302673227ADFFC688FD3EDABF097D7F5410F983E06C6B9C7344CA1D8A45C7FA05553ADCC5987993DF3A298763477168D4842E554C4EB93B9AAAF
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$....................~..........z.....B....Rich..........PE..L......K...........!......................... ...............................`......................................p"..I...` ..P....@..`....................P....................................................... ..`............................text...l........................... ..`.rdata....... ......................@..@.data...l....0......................@....rsrc...`....@......................@..@.reloc..@....P......................@..B................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\NSISdl.dll

Download File

Process:	C:\Users\user\Desktop\yUgCaQhCIc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	14848
Entropy (8bit):	6.054982561433298
Encrypted:	false
SSDEEP:	192:tUZTobBDJ68r67wmsvJI5ad9cXzFOVu+mZ/P3p+57CvpVqDxVp01Dwn2GRPgsfA:6Bo/680dCI5adOjFOg9//p27uNw2Go
MD5:	A5F8399A743AB7F9C88C645C35B1EBB5
SHA1:	168F3C158913B0367BF79FA413357FBE97018191
SHA-256:	DACC88A12D3BA438FDAE3535DC7A5A1D389BCE13ADC993706424874A782E51C9
SHA-512:	824E567F5211BF09C7912537C7836D761B0934207612808E9A191F980375C6A97383DBC6B4A7121C6B5F508CBFD7542A781D6B6B196CA24841F73892EEC5E977
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............lI..lI..lI..bI..lI..mI..lI\.1I..lI.\I..lI.]I..lI`.hI..lIRich..lI........................PE..L......K...........!.....&...p.......".......@.......................................................................D.._....@..d....................................................................................@...............................text....$.......&.................. ..`.rdata.......@.......*..............@..@.data....d...P.......0..............@....reloc..D............6..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\yUgCaQhCIc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.568877095847681
Encrypted:	false
SSDEEP:	192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
MD5:	C17103AE9072A06DA581DEC998343FC1
SHA1:	B72148C6BDFAADA8B8C3F950E610EE7CF1DA1F8D
SHA-256:	DC58D8AD81CACB0C1ED72E33BFF8F23EA40B5252B5BB55D393A0903E6819AE2F
SHA-512:	D32A71AAEF18E993F28096D536E41C4D016850721B31171513CE28BBD805A54FD290B7C3E9D935F72E676A1ACFB4F0DCC89D95040A0DD29F2B6975855C18986F
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j....l.9..i....l.Richm.........................PE..L......K...........!................0).......0...............................`......................................p2......t0..P............................P.......................................................0..X............................text...1........................... ..`.rdata.......0......."..............@..@.data...d....@.......&..............@....reloc.......P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\UAC.dll

Download File

Process:	C:\Users\user\Desktop\yUgCaQhCIc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	17408
Entropy (8bit):	6.099808235627472
Encrypted:	false
SSDEEP:	384:w9JzaeWrF8d22hXAGFkr2WqErkuCYMAWS5Ns8AXXki:wLaBrrTXr3qruCYuS5qk
MD5:	09CAF01BC8D88EEB733ABC161ACFF659
SHA1:	B8C2126D641F88628C632DD2259686DA3776A6DA
SHA-256:	3555AFE95E8BB269240A21520361677B280562B802978FCCFB27490C79B9A478
SHA-512:	EF1E8FC4FC8F5609483B2C459D00A47036699DFB70B6BE6F10A30C5D2FC66BAE174345BFFA9A44ABD9CA029E609FF834D701FF6A769CCA09FE5562365D5010FA
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......EH.".)lq.)lq.)lq.)mqP)lq.!1q.)lqU.]q.)lq./jq.)lq..hq.)lqRich.)lq........................PE..L....YzI...........!.....4...........:.......P......................................................................@B..J....:..x....`.......................p..........................................................P............................text....3.......4.................. ..`.data...8....P.......8..............@....rsrc........`.......<..............@..@.reloc.......p.......>..............@..B........................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\inetc.dll

Download File

Process:	C:\Users\user\Desktop\yUgCaQhCIc.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	5.684576361538191
Encrypted:	false
SSDEEP:	384:jQB2ZUVHUxgoJX0eBA6PcH85db+ya9cC0Ac9khYLMkIX0+G5xgZmT+m//a:j/UFeJ5S6PHLNa9cFam/
MD5:	50FDADDA3E993688401F6F1108FABDB4
SHA1:	04A9AE55D0FB726BE49809582CEA41D75BF22A9A
SHA-256:	6D6DDC0D2B7D59EB91BE44939457858CED5EB23CF4AA93EF33BB600EB28DE6F6
SHA-512:	E9628870FEEA8C3AAEFE22A2AF41CF34B1C1778C4A0E81D069F50553CE1A23F68A0BA74B296420B2BE92425D4995A43E51C018C2E8197EC2EC39305E87C56BE8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........G.G.G.G._.%...C.....F.(...C.(...D.G...A..F...F....F.RichG.........................PE..L.....H...........!........&.......7.......@.......................................................................I..l...pA..x....`..0....................p..p....................................................@..p............................text...R(......................... ..`.rdata..\|....@......................@..@.data........P.......8..............@....rsrc...0....`.......B..............@..@.reloc..8....p.......H..............@..B................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\ioSpecial.ini

Download File

Process:	C:\Users\user\Desktop\yUgCaQhCIc.exe
File Type:	Generic INItialization configuration [Field 1]
Category:	dropped
Size (bytes):	1086
Entropy (8bit):	5.030819664305184
Encrypted:	false
SSDEEP:	24:yTdRvA4ehH16fL1Z7CYOJacm/iR5WvEGLOo:UXeB0zrCYOkninGLD
MD5:	0C19DA8182AEE330F78EC7FE6F37C576
SHA1:	9EBF124927BECF7F315CCBBDD0E5BE4F356FD3B3
SHA-256:	04A00D01021ADA2D735EFC977F4AA349CAE9F2202566F3081B963E71F734F16E
SHA-512:	865802732FDE7E110DBA0E8D5D1044566F7E31F5D020006DD21567E68609ED549074DAA1F301BFEE4026CEDDD564DD9315D1A372E158C1F389A28FA8F0A0CADA
Malicious:	false
Preview:	[Settings]..Rect=1044..NumFields=3..RTL=0..NextButtonText=..CancelEnabled=..State=0..[Field 1]..Type=bitmap..Left=0..Right=109..Top=0..Bottom=193..Flags=RESIZETOFIT..Text=C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\modern-wizard.bmp..HWND=66688..[Field 2]..Type=label..Left=120..Right=315..Top=10..Text=Nero Burning Rom downloader and installer..Bottom=38..HWND=66690..[Field 3]..Type=label..Left=120..Right=315..Top=45..Bottom=185..Text=This wizard will guide you through download and installation of Nero Burning Rom. In addition to the Nero Burning Rom our toolbar will also be offered to you as part of the download manager.This download manager is not associated with the creator of Nero Burning Rom in any way and works as an independent entity that certifies its reliability. This download manager forms part of this website's security measures to guarantee the reliability and safety of its downloads. The main objective of this website is to allow you to filter the existing viruses and m

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\modern-wizard.bmp

Download File

Process:	C:\Users\user\Desktop\yUgCaQhCIc.exe
File Type:	PC bitmap, Windows 3.x format, 164 x 314 x 8, image size 51498, resolution 2834 x 2834 px/m, cbSize 52576, bits offset 1078
Category:	dropped
Size (bytes):	52576
Entropy (8bit):	7.181750725113967
Encrypted:	false
SSDEEP:	384:0b5ZBhNII36iwq7VzVpaHsA2vxM+5GVTfoeydiszl:2XR360JzVpaHsAI75GRfovcs5
MD5:	9E4CD80A60DB6947642677BF31A10906
SHA1:	FEEDC432DF18B13FFBA2B7478347D885861701FA
SHA-256:	A7B2F12E01CBEA88D4F645F797F2CA6107D76AE13CD1BE6DC532B759BFE0D925
SHA-512:	A02AE76B7A5DF03A149A0B9C9EFD314B8646B829B930233D0CEA8B619B21720B383F92BE95838310E7F1C4183D256823A96E48866B65AC7D2141ED4254AE471A
Malicious:	false
Preview:	BM`.......6...(.......:..................................qss.}~~.....................................................................5by.k...6by.m...o...p...q...9dz.s...t...w...x...=f{.{.......}...Iw..................@ex.....;\m..HU.m...}...7Tc.........e.......r................................................................................................................................. .....................................$,0.............Z\].;...:...'h...BY.Q...c...h...n...m...7ay.o...o...8cz.k...r...q...q...r...s...t...t...v...;dz.v...y...w...v...`...z...y...z...z...S...~...\|...Z...m.......~...}...@g\|.....................P....#.........................b...Go......................Ch\|.........w...............................Acu.....................................................................$4=.........a...c...r...............................................................au.......................Ss..\|..7...F...[.......+<F.....Pbm.........................................hhi...

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\show_page_toolbar

Download File

Process:	C:\Users\user\Desktop\yUgCaQhCIc.exe
File Type:	Generic INItialization configuration [Field 2]
Category:	dropped
Size (bytes):	1017
Entropy (8bit):	4.999544240031993
Encrypted:	false
SSDEEP:	24:44vkCYb2ilaRA1ObQJogNobwxzffNU1hok:1uioaRUOs3Ywx7Fw
MD5:	F8457FFA09847C92DD2987F4A4D410C5
SHA1:	6E56AC6D1B5D24E4BD9DACC424800684AE614E48
SHA-256:	2594C5CD66BB413435A9B66E5F66C7D84B1958FEF8A0F94D0D2DE43BC884F0CD
SHA-512:	EBD522449391E99EAA79610553020A14466D51106ED591EF015D012117A5B5586E119E80D1D28C17DC0EF64472E5D3B4D603C662DCDF78160E51C70EEEC0FCA0
Malicious:	false
Preview:	[Settings]..NextButtonText=Next >..[Field 2]..Text=C:\Users\user\AppData\Local\Temp\captura.bmp..[Field 1]..Text=Funmoods is a free add-on for social networks chat that gives you a huge collection of smileys, winks, text effects and more! Get Funmoods smileys for social networks and start sending amazing, fun messages to all your friends!..[Field 4]..Text=Install Funmoods toolbar..[Field 3]..Text=Make Funmoods as my default search engine..[Field 8]..Text=Set Funmoods as my homepage and new tab on my browsers..[Field 6]..State=http://www.funmoods.com/terms..Text=Terms Of Use..[Field 7]..State=http://www.funmoods.com/privacy..Text=Privacy Policy..[Field 5]..Text=By clicking 'Next' button I accept the..[Field 12]..Text=and..[Field 13]..Text=of Funmoods toolbar..[Field 11]..Text=I allow my current homepage and default search settings to be stored for easy reverting later...[Field 9]..Text=Install for free Dealply and pay less while shopping..[Field 10]..Text=Dealply..State=http://www.dea

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.069988993142582
TrID:	Win32 Executable (generic) a (10002005/4) 91.57% NSIS - Nullsoft Scriptable Install System (846627/2) 7.75% UPX compressed Win32 Executable (30571/9) 0.28% Win32 EXE Yoda's Crypter (26571/9) 0.24% Windows Screen Saver (13104/52) 0.12%
File name:	yUgCaQhCIc.exe
File size:	509'160 bytes
MD5:	5da47991f8da648663063560b0182040
SHA1:	a23ba563cd76be2e6324733fd93725365e1af593
SHA256:	faa5c705f7a92dbc2bedd76bb8eb4f0f002389d16d1362ebee36eeffcf969a87
SHA512:	300346f9217da6ae844552e549c7d383057dcfc71ea097abebd804887caa6d89da3aa5159fa13208a14588c7baf668217e17fd224f00621769f1d4e5d9e66c28
SSDEEP:	6144:+e34R2aWNzh36dqXEVTrnCRZG/t7FTBqTzP7n7O7L6K2Bfo7pu:w2Zzh36VVTGf0ZTsnz7O7L6ju7pu
TLSH:	52B48D70BA40E87EC35C88389055DB5997F954B1AF9000A3333E6A8D1E792A25D67FCF
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^.........

File Icon


Icon Hash:	0771ccf8d84d2907

Static PE Info

General

Entrypoint:	0x4030fa
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x4B1AE3CC [Sat Dec 5 22:50:52 2009 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	7fa974366048f9c551ef45714595665e

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Thawte Code Signing CA - G2, O="Thawte, Inc.", C=US
Signature Validation Error:	A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file
Error Number:	-2146762495
Not Before, Not After	18/01/2012 01:00:00 18/01/2013 00:59:59
Subject Chain	CN=Inffinity Internet, OU=Internet, O=Inffinity Internet, L=Madrid, S=Madrid, C=ES
Version:	3
Thumbprint MD5:	A8CDD9736D88F45575E5B95637CDC8D0
Thumbprint SHA-1:	E848EDD1A697C297A97C9ABDCF563CDBFF870AC1
Thumbprint SHA-256:	70B243B6B417FB12B43B10F2A41353EBBF4E0CE0C6D5D90090A368ABD4190695
Serial:	1E478AE33382A025ECAE98EF6ADEE5BB

Entrypoint Preview

Instruction
sub esp, 00000180h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409160h
xor esi, esi
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407030h]
push 00008001h
call dword ptr [004070B0h]
push ebx
call dword ptr [0040727Ch]
push 00000008h
mov dword ptr [0042EC18h], eax
call 00007FD9553CDB36h
mov dword ptr [0042EB64h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 00000160h
push eax
push ebx
push 00428F98h
call dword ptr [00407158h]
push 00409154h
push 0042E360h
call 00007FD9553CD7E9h
call dword ptr [004070ACh]
mov edi, 00434000h
push eax
push edi
call 00007FD9553CD7D7h
push ebx
call dword ptr [0040710Ch]
cmp byte ptr [00434000h], 00000022h
mov dword ptr [0042EB60h], eax
mov eax, edi
jne 00007FD9553CAF4Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00434001h
push dword ptr [esp+14h]
push eax
call 00007FD9553CD2CAh
push eax
call dword ptr [0040721Ch]
mov dword ptr [esp+1Ch], eax
jmp 00007FD9553CAFA5h
cmp cl, 00000020h
jne 00007FD9553CAF48h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FD9553CAF3Ch
cmp byte ptr [eax], 00000022h
mov byte ptr [eax+eax+00h], 00000000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x74b0	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4b000	0x40a0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x7b550	0xf98
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x28c	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c4c	0x5e00	856b32eb77dfd6fb67f21d6543272da5	False	0.6697140957446809	data	6.440105549497952	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x129c	0x1400	dc77f8a1e6985a4361c55642680ddb4f	False	0.43359375	data	5.046835307909969	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x25c58	0x400	7922d4ce117d7d5b3ac2cffe4b0b5e4f	False	0.5849609375	data	4.801003752715384	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2f000	0x1c000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4b000	0x40a0	0x4200	cf27236773cd963031f4b0529156af5f	False	0.6234019886363636	data	5.9631815145141	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4b2b0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.7213883677298312
RT_ICON	0x4c358	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688, 256 important colors	English	United States	0.6751066098081023
RT_ICON	0x4d200	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152, 256 important colors	English	United States	0.7851985559566786
RT_ICON	0x4daa8	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320, 256 important colors	English	United States	0.6560693641618497
RT_ICON	0x4e010	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.8031914893617021
RT_ICON	0x4e478	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.3118279569892473
RT_ICON	0x4e760	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.36824324324324326
RT_DIALOG	0x4e888	0x202	data	English	United States	0.38910505836575876
RT_DIALOG	0x4ea90	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0x4eb88	0xee	data	English	United States	0.6260504201680672
RT_GROUP_ICON	0x4ec78	0x68	data	English	United States	0.6634615384615384
RT_MANIFEST	0x4ece0	0x3c0	XML 1.0 document, ASCII text, with very long lines (960), with no line terminators	English	United States	0.5197916666666667

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathA, GetShortPathNameA, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, Sleep, GetTickCount, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, GetWindowsDirectoryA, SetFileTime, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, lstrlenA, lstrcatA, GetSystemDirectoryA, GetVersion, CloseHandle, lstrcmpiA, lstrcmpA, ExpandEnvironmentStringsA, GlobalFree, GlobalAlloc, WaitForSingleObject, GetExitCodeProcess, GetModuleHandleA, LoadLibraryExA, GetProcAddress, FreeLibrary, MultiByteToWideChar, WritePrivateProfileStringA, GetPrivateProfileStringA, WriteFile, ReadFile, MulDiv, SetFilePointer, FindClose, FindNextFileA, FindFirstFileA, DeleteFileA, GetTempPathA
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, DestroyWindow, CreateDialogParamA, SetTimer, SetWindowTextA, PostQuitMessage, SetForegroundWindow, wsprintfA, SendMessageTimeoutA, FindWindowExA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, OpenClipboard, ExitWindowsEx, IsWindow, GetDlgItem, SetWindowLongA, LoadImageA, GetDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndPaint, ShowWindow
GDI32.dll	SetBkColor, GetDeviceCaps, DeleteObject, CreateBrushIndirect, CreateFontIndirectA, SetBkMode, SetTextColor, SelectObject
SHELL32.dll	SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA, SHGetSpecialFolderLocation
ADVAPI32.dll	RegQueryValueExA, RegSetValueExA, RegEnumKeyA, RegEnumValueA, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegCreateKeyExA
COMCTL32.dll	ImageList_AddMasked, ImageList_Destroy, ImageList_Create
ole32.dll	CoTaskMemFree, OleInitialize, OleUninitialize, CoCreateInstance
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 236
• 443 (HTTPS)
• 80 (HTTP)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2025 03:15:09.163387060 CET	49676	443	192.168.2.5	20.189.173.14
Mar 14, 2025 03:15:11.569797039 CET	49676	443	192.168.2.5	20.189.173.14
Mar 14, 2025 03:15:16.382087946 CET	49676	443	192.168.2.5	20.189.173.14
Mar 14, 2025 03:15:17.663455963 CET	49672	443	192.168.2.5	204.79.197.203
Mar 14, 2025 03:15:25.991816044 CET	49676	443	192.168.2.5	20.189.173.14
Mar 14, 2025 03:15:26.625998974 CET	58546	443	192.168.2.5	216.58.212.164
Mar 14, 2025 03:15:26.626048088 CET	443	58546	216.58.212.164	192.168.2.5
Mar 14, 2025 03:15:26.626102924 CET	58546	443	192.168.2.5	216.58.212.164
Mar 14, 2025 03:15:26.626494884 CET	58546	443	192.168.2.5	216.58.212.164
Mar 14, 2025 03:15:26.626513004 CET	443	58546	216.58.212.164	192.168.2.5
Mar 14, 2025 03:15:26.825311899 CET	443	58546	216.58.212.164	192.168.2.5
Mar 14, 2025 03:15:26.826029062 CET	58547	443	192.168.2.5	216.58.212.164
Mar 14, 2025 03:15:26.826087952 CET	443	58547	216.58.212.164	192.168.2.5
Mar 14, 2025 03:15:26.826181889 CET	58547	443	192.168.2.5	216.58.212.164
Mar 14, 2025 03:15:26.826574087 CET	58547	443	192.168.2.5	216.58.212.164
Mar 14, 2025 03:15:26.826590061 CET	443	58547	216.58.212.164	192.168.2.5
Mar 14, 2025 03:15:27.025101900 CET	443	58547	216.58.212.164	192.168.2.5
Mar 14, 2025 03:15:30.488056898 CET	49675	443	192.168.2.5	2.23.227.208
Mar 14, 2025 03:15:30.488133907 CET	443	49675	2.23.227.208	192.168.2.5
Mar 14, 2025 03:15:30.597317934 CET	58552	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.597362041 CET	443	58552	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.597424030 CET	58552	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.603605032 CET	58552	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.603626013 CET	443	58552	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.604336977 CET	443	58552	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.610100985 CET	58553	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.610142946 CET	443	58553	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.610210896 CET	58553	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.610980034 CET	58553	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.610992908 CET	443	58553	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.611494064 CET	443	58553	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.629314899 CET	58554	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.629352093 CET	443	58554	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.629411936 CET	58554	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.629555941 CET	58554	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.629595995 CET	443	58554	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.629643917 CET	58554	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.662182093 CET	58555	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.662225962 CET	443	58555	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.662292004 CET	58555	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.662733078 CET	58555	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.662745953 CET	443	58555	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.663276911 CET	443	58555	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.664060116 CET	58556	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.664082050 CET	443	58556	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.664129019 CET	58556	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.664549112 CET	58556	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.664560080 CET	443	58556	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.664948940 CET	443	58556	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.665297985 CET	58557	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.665314913 CET	443	58557	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.665364027 CET	58557	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.665564060 CET	58557	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.665595055 CET	443	58557	150.171.27.254	192.168.2.5
Mar 14, 2025 03:15:30.665635109 CET	58557	443	192.168.2.5	150.171.27.254
Mar 14, 2025 03:15:30.679104090 CET	58558	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.679138899 CET	443	58558	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.679199934 CET	58558	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.680682898 CET	58558	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.680697918 CET	443	58558	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.681157112 CET	443	58558	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.681735039 CET	58559	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.681767941 CET	443	58559	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.681821108 CET	58559	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.682145119 CET	58559	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.682157993 CET	443	58559	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.682540894 CET	443	58559	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.682867050 CET	58560	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.682877064 CET	443	58560	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.682925940 CET	58560	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.683056116 CET	58560	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.683095932 CET	443	58560	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.683141947 CET	58560	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.686280966 CET	58561	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.686295986 CET	443	58561	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.686347961 CET	58561	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.686700106 CET	58561	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.686711073 CET	443	58561	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.687103987 CET	443	58561	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.687381029 CET	58562	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.687428951 CET	443	58562	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.687482119 CET	58562	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.687792063 CET	58562	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.687812090 CET	443	58562	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.688153982 CET	443	58562	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.688431025 CET	58563	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.688442945 CET	443	58563	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.688504934 CET	58563	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.688551903 CET	58563	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.688575029 CET	443	58563	150.171.31.254	192.168.2.5
Mar 14, 2025 03:15:30.688618898 CET	58563	443	192.168.2.5	150.171.31.254
Mar 14, 2025 03:15:30.693034887 CET	49678	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:30.693075895 CET	443	49678	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:30.693459034 CET	58564	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:30.693495989 CET	443	58564	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:30.693543911 CET	58564	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:30.693996906 CET	58564	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:30.694010973 CET	443	58564	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:30.694387913 CET	443	58564	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:30.695050001 CET	58565	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:30.695059061 CET	443	58565	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:30.695116043 CET	58565	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:30.695322037 CET	58565	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:30.695333958 CET	443	58565	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:30.695683956 CET	443	58565	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:30.696207047 CET	58566	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:30.696239948 CET	443	58566	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:30.696295023 CET	58566	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:30.696336985 CET	58566	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:30.696360111 CET	443	58566	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:30.696398973 CET	58566	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:32.676518917 CET	58567	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:32.676579952 CET	443	58567	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:32.676666021 CET	58567	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:32.677004099 CET	58567	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:32.677015066 CET	443	58567	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:32.677704096 CET	443	58567	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:32.678165913 CET	58568	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:32.678201914 CET	443	58568	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:32.678255081 CET	58568	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:32.678533077 CET	58568	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:32.678545952 CET	443	58568	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:32.678957939 CET	443	58568	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:32.679227114 CET	58569	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:32.679266930 CET	443	58569	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:32.679315090 CET	58569	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:32.679399014 CET	58569	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:32.679418087 CET	443	58569	204.79.197.222	192.168.2.5
Mar 14, 2025 03:15:32.679460049 CET	58569	443	192.168.2.5	204.79.197.222
Mar 14, 2025 03:15:32.862390995 CET	58570	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:32.862427950 CET	443	58570	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:32.862497091 CET	58570	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:32.910939932 CET	58570	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:32.910965919 CET	443	58570	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:32.911715031 CET	443	58570	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:32.954714060 CET	58571	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:32.954777956 CET	443	58571	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:32.954843998 CET	58571	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:32.955234051 CET	58571	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:32.955252886 CET	443	58571	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:32.955979109 CET	443	58571	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:32.986973047 CET	58572	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:32.987010002 CET	443	58572	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:32.987128019 CET	58572	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:32.987545013 CET	58572	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:32.987557888 CET	443	58572	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:32.988034964 CET	443	58572	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.009327888 CET	58573	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.009362936 CET	443	58573	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.009438992 CET	58573	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.009773016 CET	58573	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.009789944 CET	443	58573	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.010251999 CET	443	58573	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.044847965 CET	58574	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.044872999 CET	443	58574	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.045036077 CET	58574	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.045468092 CET	58574	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.045480013 CET	443	58574	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.045949936 CET	443	58574	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.065910101 CET	58575	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.065942049 CET	443	58575	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.066055059 CET	58575	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.066488981 CET	58575	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.066499949 CET	443	58575	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.066909075 CET	443	58575	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.105330944 CET	58576	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.105376959 CET	443	58576	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.105447054 CET	58576	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.105750084 CET	58576	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.105762005 CET	443	58576	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.106184006 CET	443	58576	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.127130985 CET	58577	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.127156973 CET	443	58577	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.127249956 CET	58577	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.127605915 CET	58577	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:15:33.127620935 CET	443	58577	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:33.128046989 CET	443	58577	4.175.87.197	192.168.2.5
Mar 14, 2025 03:15:35.782434940 CET	58580	443	192.168.2.5	150.171.28.10
Mar 14, 2025 03:15:35.782469988 CET	443	58580	150.171.28.10	192.168.2.5
Mar 14, 2025 03:15:35.782588005 CET	58580	443	192.168.2.5	150.171.28.10
Mar 14, 2025 03:15:35.784569979 CET	58580	443	192.168.2.5	150.171.28.10
Mar 14, 2025 03:15:35.784583092 CET	443	58580	150.171.28.10	192.168.2.5
Mar 14, 2025 03:15:35.785177946 CET	443	58580	150.171.28.10	192.168.2.5
Mar 14, 2025 03:15:35.785567999 CET	58581	443	192.168.2.5	150.171.28.10
Mar 14, 2025 03:15:35.785604954 CET	443	58581	150.171.28.10	192.168.2.5
Mar 14, 2025 03:15:35.785715103 CET	58581	443	192.168.2.5	150.171.28.10
Mar 14, 2025 03:15:35.785921097 CET	58581	443	192.168.2.5	150.171.28.10
Mar 14, 2025 03:15:35.785931110 CET	443	58581	150.171.28.10	192.168.2.5
Mar 14, 2025 03:15:35.786308050 CET	443	58581	150.171.28.10	192.168.2.5
Mar 14, 2025 03:15:35.786668062 CET	58582	443	192.168.2.5	150.171.28.10
Mar 14, 2025 03:15:35.786705017 CET	443	58582	150.171.28.10	192.168.2.5
Mar 14, 2025 03:15:35.786861897 CET	58582	443	192.168.2.5	150.171.28.10
Mar 14, 2025 03:15:35.786910057 CET	58582	443	192.168.2.5	150.171.28.10
Mar 14, 2025 03:15:35.786930084 CET	443	58582	150.171.28.10	192.168.2.5
Mar 14, 2025 03:15:35.786974907 CET	58582	443	192.168.2.5	150.171.28.10
Mar 14, 2025 03:15:59.149116039 CET	58498	80	192.168.2.5	23.203.176.101
Mar 14, 2025 03:15:59.149183989 CET	58500	80	192.168.2.5	184.30.131.114
Mar 14, 2025 03:15:59.149190903 CET	58499	80	192.168.2.5	184.30.131.114
Mar 14, 2025 03:15:59.154217005 CET	80	58498	23.203.176.101	192.168.2.5
Mar 14, 2025 03:15:59.154284000 CET	58498	80	192.168.2.5	23.203.176.101
Mar 14, 2025 03:15:59.154838085 CET	80	58500	184.30.131.114	192.168.2.5
Mar 14, 2025 03:15:59.154887915 CET	58500	80	192.168.2.5	184.30.131.114
Mar 14, 2025 03:15:59.154905081 CET	80	58499	184.30.131.114	192.168.2.5
Mar 14, 2025 03:15:59.154952049 CET	58499	80	192.168.2.5	184.30.131.114
Mar 14, 2025 03:16:06.136387110 CET	58517	443	192.168.2.5	184.86.251.27
Mar 14, 2025 03:16:06.136632919 CET	58523	80	192.168.2.5	184.30.131.245
Mar 14, 2025 03:16:06.508131981 CET	58516	80	192.168.2.5	88.221.110.91
Mar 14, 2025 03:16:06.508187056 CET	58525	80	192.168.2.5	88.221.110.91
Mar 14, 2025 03:16:06.510839939 CET	58518	80	192.168.2.5	172.217.16.131
Mar 14, 2025 03:16:06.515834093 CET	80	58516	88.221.110.91	192.168.2.5
Mar 14, 2025 03:16:06.516014099 CET	58516	80	192.168.2.5	88.221.110.91
Mar 14, 2025 03:16:06.516242027 CET	80	58525	88.221.110.91	192.168.2.5
Mar 14, 2025 03:16:06.516459942 CET	58525	80	192.168.2.5	88.221.110.91
Mar 14, 2025 03:16:06.517930031 CET	80	58518	172.217.16.131	192.168.2.5
Mar 14, 2025 03:16:06.518831015 CET	58518	80	192.168.2.5	172.217.16.131
Mar 14, 2025 03:16:09.481349945 CET	58589	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.481400013 CET	443	58589	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.481565952 CET	58589	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.482064962 CET	58589	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.482076883 CET	443	58589	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.482690096 CET	443	58589	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.509371996 CET	58590	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.509422064 CET	443	58590	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.509515047 CET	58590	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.509834051 CET	58590	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.509849072 CET	443	58590	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.510226011 CET	443	58590	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.536818981 CET	58591	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.536853075 CET	443	58591	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.536930084 CET	58591	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.537292004 CET	58591	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.537305117 CET	443	58591	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.537623882 CET	443	58591	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.554198980 CET	58592	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.554209948 CET	443	58592	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.554270983 CET	58592	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.554627895 CET	58592	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.554636955 CET	443	58592	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.555010080 CET	443	58592	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.596812963 CET	58593	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.596868992 CET	443	58593	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.596966028 CET	58593	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.597404003 CET	58593	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.597418070 CET	443	58593	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.597762108 CET	443	58593	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.613548994 CET	58594	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.613605976 CET	443	58594	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.613683939 CET	58594	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.614070892 CET	58594	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.614087105 CET	443	58594	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.614474058 CET	443	58594	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.647711992 CET	58595	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.647739887 CET	443	58595	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.647814035 CET	58595	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.648140907 CET	58595	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.648153067 CET	443	58595	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.648493052 CET	443	58595	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.670454979 CET	58596	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.670478106 CET	443	58596	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.670547009 CET	58596	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.670918941 CET	58596	443	192.168.2.5	4.175.87.197
Mar 14, 2025 03:16:09.670929909 CET	443	58596	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:09.671258926 CET	443	58596	4.175.87.197	192.168.2.5
Mar 14, 2025 03:16:26.680672884 CET	58606	443	192.168.2.5	216.58.212.164
Mar 14, 2025 03:16:26.680716991 CET	443	58606	216.58.212.164	192.168.2.5
Mar 14, 2025 03:16:26.680778980 CET	58606	443	192.168.2.5	216.58.212.164
Mar 14, 2025 03:16:26.681106091 CET	58606	443	192.168.2.5	216.58.212.164
Mar 14, 2025 03:16:26.681117058 CET	443	58606	216.58.212.164	192.168.2.5
Mar 14, 2025 03:16:26.881050110 CET	443	58606	216.58.212.164	192.168.2.5
Mar 14, 2025 03:16:26.881870985 CET	58607	443	192.168.2.5	216.58.212.164
Mar 14, 2025 03:16:26.881912947 CET	443	58607	216.58.212.164	192.168.2.5
Mar 14, 2025 03:16:26.881992102 CET	58607	443	192.168.2.5	216.58.212.164
Mar 14, 2025 03:16:26.882332087 CET	58607	443	192.168.2.5	216.58.212.164
Mar 14, 2025 03:16:26.882344961 CET	443	58607	216.58.212.164	192.168.2.5
Mar 14, 2025 03:16:27.081847906 CET	443	58607	216.58.212.164	192.168.2.5
Mar 14, 2025 03:16:51.476022959 CET	58512	80	192.168.2.5	184.30.131.245
Mar 14, 2025 03:16:51.476025105 CET	58503	443	192.168.2.5	20.190.159.64
Mar 14, 2025 03:16:51.476104975 CET	58514	80	192.168.2.5	184.30.131.245
Mar 14, 2025 03:16:51.476119995 CET	58506	443	192.168.2.5	20.190.159.64
Mar 14, 2025 03:16:51.476171017 CET	58504	443	192.168.2.5	20.190.159.64
Mar 14, 2025 03:16:51.476177931 CET	58515	80	192.168.2.5	184.30.131.245
Mar 14, 2025 03:16:51.476233006 CET	58513	80	192.168.2.5	184.30.131.245
Mar 14, 2025 03:16:51.476233959 CET	58505	443	192.168.2.5	20.190.159.64
Mar 14, 2025 03:16:51.476279020 CET	58507	80	192.168.2.5	88.221.110.91
Mar 14, 2025 03:16:51.476330996 CET	58508	80	192.168.2.5	88.221.110.91
Mar 14, 2025 03:16:51.476372004 CET	58509	80	192.168.2.5	88.221.110.91
Mar 14, 2025 03:16:51.476413012 CET	58510	80	192.168.2.5	88.221.110.91
Mar 14, 2025 03:16:51.480885029 CET	80	58512	184.30.131.245	192.168.2.5
Mar 14, 2025 03:16:51.480954885 CET	58512	80	192.168.2.5	184.30.131.245
Mar 14, 2025 03:16:51.482279062 CET	443	58503	20.190.159.64	192.168.2.5
Mar 14, 2025 03:16:51.482351065 CET	443	58506	20.190.159.64	192.168.2.5
Mar 14, 2025 03:16:51.482351065 CET	58503	443	192.168.2.5	20.190.159.64
Mar 14, 2025 03:16:51.482362032 CET	80	58514	184.30.131.245	192.168.2.5
Mar 14, 2025 03:16:51.482371092 CET	443	58504	20.190.159.64	192.168.2.5
Mar 14, 2025 03:16:51.482383966 CET	80	58515	184.30.131.245	192.168.2.5
Mar 14, 2025 03:16:51.482414007 CET	58506	443	192.168.2.5	20.190.159.64
Mar 14, 2025 03:16:51.482420921 CET	58514	80	192.168.2.5	184.30.131.245
Mar 14, 2025 03:16:51.482444048 CET	443	58505	20.190.159.64	192.168.2.5
Mar 14, 2025 03:16:51.482449055 CET	58504	443	192.168.2.5	20.190.159.64
Mar 14, 2025 03:16:51.482455015 CET	80	58513	184.30.131.245	192.168.2.5
Mar 14, 2025 03:16:51.482461929 CET	58515	80	192.168.2.5	184.30.131.245
Mar 14, 2025 03:16:51.482465029 CET	80	58507	88.221.110.91	192.168.2.5
Mar 14, 2025 03:16:51.482502937 CET	58505	443	192.168.2.5	20.190.159.64
Mar 14, 2025 03:16:51.482511997 CET	58513	80	192.168.2.5	184.30.131.245
Mar 14, 2025 03:16:51.482526064 CET	58507	80	192.168.2.5	88.221.110.91
Mar 14, 2025 03:16:51.482542038 CET	80	58508	88.221.110.91	192.168.2.5
Mar 14, 2025 03:16:51.482552052 CET	80	58509	88.221.110.91	192.168.2.5
Mar 14, 2025 03:16:51.482585907 CET	58508	80	192.168.2.5	88.221.110.91
Mar 14, 2025 03:16:51.482599974 CET	58509	80	192.168.2.5	88.221.110.91
Mar 14, 2025 03:16:51.485512018 CET	80	58510	88.221.110.91	192.168.2.5
Mar 14, 2025 03:16:51.485579014 CET	58510	80	192.168.2.5	88.221.110.91
Mar 14, 2025 03:16:54.840775967 CET	58522	443	192.168.2.5	95.100.70.200
Mar 14, 2025 03:16:54.845773935 CET	443	58522	95.100.70.200	192.168.2.5
Mar 14, 2025 03:16:54.845863104 CET	58522	443	192.168.2.5	95.100.70.200
Mar 14, 2025 03:16:56.366710901 CET	58526	443	192.168.2.5	95.100.70.200
Mar 14, 2025 03:16:56.371653080 CET	443	58526	95.100.70.200	192.168.2.5
Mar 14, 2025 03:16:56.371805906 CET	58526	443	192.168.2.5	95.100.70.200

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 14, 2025 03:15:14.964776993 CET	49958	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:15.264983892 CET	53	49958	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:19.860661030 CET	53137	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:20.166873932 CET	53	53137	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:20.829895020 CET	59859	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:21.135047913 CET	53	59859	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:22.745270967 CET	59769	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:22.745466948 CET	49454	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:22.755367041 CET	53	51782	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:22.766645908 CET	56347	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:22.766971111 CET	53592	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:22.777095079 CET	53	51141	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:22.887590885 CET	53	56347	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:22.958163023 CET	53	53592	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:23.044043064 CET	53	49454	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:23.498348951 CET	53	59769	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:23.529731035 CET	49555	53	192.168.2.5	8.8.8.8
Mar 14, 2025 03:15:23.530112028 CET	58742	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:23.536802053 CET	53	58742	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:23.537969112 CET	53	49555	8.8.8.8	192.168.2.5
Mar 14, 2025 03:15:24.545804977 CET	55315	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:24.546878099 CET	59202	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:25.306487083 CET	53	55315	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:25.322149038 CET	53	59202	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:25.343938112 CET	57256	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:25.351205111 CET	53	57256	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:26.617966890 CET	64950	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:26.618110895 CET	63676	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:26.624716997 CET	53	63676	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:26.625142097 CET	53	64950	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:30.366430044 CET	65344	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:30.368498087 CET	54843	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:30.657355070 CET	53	54843	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:30.669070005 CET	53	65344	1.1.1.1	192.168.2.5
Mar 14, 2025 03:15:30.669673920 CET	53211	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:15:30.786345005 CET	53	53211	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:00.805152893 CET	51796	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:00.805681944 CET	60263	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:00.834919930 CET	53	51796	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:00.855663061 CET	63488	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:00.984278917 CET	53	63488	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:01.069494009 CET	53	60263	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:10.309853077 CET	138	138	192.168.2.5	192.168.2.255
Mar 14, 2025 03:16:21.848036051 CET	53	55827	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:22.258670092 CET	53	52339	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:25.006356001 CET	53	62384	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:25.600832939 CET	58718	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:25.601433992 CET	54441	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:25.607650042 CET	53	58718	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:25.609020948 CET	53	54441	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:26.617157936 CET	64968	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:26.617387056 CET	64114	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:26.624516964 CET	53	64114	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:26.624530077 CET	53	64968	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:28.649167061 CET	65045	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:28.655793905 CET	53	65045	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:29.648024082 CET	65045	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:29.654654026 CET	53	65045	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:30.648092985 CET	65045	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:30.655666113 CET	53	65045	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:32.648684978 CET	65045	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:32.655342102 CET	53	65045	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:35.073980093 CET	55639	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:35.882735014 CET	53	55639	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:36.649220943 CET	65045	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:36.656953096 CET	53	65045	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:40.996323109 CET	52120	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:40.996464968 CET	52121	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:41.002969980 CET	53	52120	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:41.003210068 CET	53	52121	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:42.008470058 CET	63374	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:42.015206099 CET	53	63374	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:44.040020943 CET	58806	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:44.046930075 CET	53	58806	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:45.046279907 CET	58806	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:45.052892923 CET	53	58806	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:46.055119038 CET	58806	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:46.062477112 CET	53	58806	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:48.054909945 CET	58806	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:48.061573029 CET	53	58806	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:52.060384989 CET	58806	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:52.067624092 CET	53	58806	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:56.070322037 CET	61841	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:56.563759089 CET	53	61841	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:56.996674061 CET	65280	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:56.996831894 CET	62291	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:57.003637075 CET	53	65280	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:57.004213095 CET	53	62291	1.1.1.1	192.168.2.5
Mar 14, 2025 03:16:58.034878016 CET	60146	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:16:58.041868925 CET	53	60146	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:00.070868015 CET	60232	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:00.077379942 CET	53	60232	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:00.999180079 CET	55495	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:00.999377012 CET	49773	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:01.072144985 CET	60232	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:01.079123974 CET	53	60232	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:01.117578030 CET	53	55495	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:01.149990082 CET	52473	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:01.174298048 CET	53	49773	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:01.403352022 CET	53	52473	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:02.086262941 CET	60232	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:02.092756987 CET	53	60232	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:04.101401091 CET	60232	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:04.108159065 CET	53	60232	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:08.101166964 CET	60232	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:08.107637882 CET	53	60232	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:12.996423960 CET	51697	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:12.996586084 CET	50115	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:13.003863096 CET	53	51697	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:13.003875017 CET	53	50115	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:14.011300087 CET	59406	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:14.018727064 CET	53	59406	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:16.039084911 CET	56962	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:16.045909882 CET	53	56962	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:17.038602114 CET	56962	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:17.045258999 CET	53	56962	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:18.039849043 CET	56962	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:18.046650887 CET	53	56962	1.1.1.1	192.168.2.5
Mar 14, 2025 03:17:20.044713974 CET	56962	53	192.168.2.5	1.1.1.1
Mar 14, 2025 03:17:20.051840067 CET	53	56962	1.1.1.1	192.168.2.5

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Mar 14, 2025 03:15:22.958230019 CET	192.168.2.5	1.1.1.1	c23e	(Port unreachable)	Destination Unreachable
Mar 14, 2025 03:16:01.069555998 CET	192.168.2.5	1.1.1.1	c23e	(Port unreachable)	Destination Unreachable
Mar 14, 2025 03:17:01.174407005 CET	192.168.2.5	1.1.1.1	c23e	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 14, 2025 03:15:14.964776993 CET	192.168.2.5	1.1.1.1	0x8383	Standard query (0)	download.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:19.860661030 CET	192.168.2.5	1.1.1.1	0xe4a0	Standard query (0)	pf.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:20.829895020 CET	192.168.2.5	1.1.1.1	0xc14	Standard query (0)	pf.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:22.745270967 CET	192.168.2.5	1.1.1.1	0x9747	Standard query (0)	pf.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:22.745466948 CET	192.168.2.5	1.1.1.1	0x1271	Standard query (0)	pf.toggle.com	65	IN (0x0001)	false
Mar 14, 2025 03:15:22.766645908 CET	192.168.2.5	1.1.1.1	0x4cf8	Standard query (0)	pf.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:22.766971111 CET	192.168.2.5	1.1.1.1	0xa676	Standard query (0)	pf.toggle.com	65	IN (0x0001)	false
Mar 14, 2025 03:15:23.529731035 CET	192.168.2.5	8.8.8.8	0xb90a	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:23.530112028 CET	192.168.2.5	1.1.1.1	0xaff7	Standard query (0)	google.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:24.545804977 CET	192.168.2.5	1.1.1.1	0x113e	Standard query (0)	pf.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:24.546878099 CET	192.168.2.5	1.1.1.1	0x331d	Standard query (0)	pf.toggle.com	65	IN (0x0001)	false
Mar 14, 2025 03:15:25.343938112 CET	192.168.2.5	1.1.1.1	0x904b	Standard query (0)	pf.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:26.617966890 CET	192.168.2.5	1.1.1.1	0xaf4c	Standard query (0)	www.google.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:26.618110895 CET	192.168.2.5	1.1.1.1	0x59b	Standard query (0)	www.google.com	65	IN (0x0001)	false
Mar 14, 2025 03:15:30.366430044 CET	192.168.2.5	1.1.1.1	0xed84	Standard query (0)	pf.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:30.368498087 CET	192.168.2.5	1.1.1.1	0x5755	Standard query (0)	pf.toggle.com	65	IN (0x0001)	false
Mar 14, 2025 03:15:30.669673920 CET	192.168.2.5	1.1.1.1	0x7dd4	Standard query (0)	pf.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:00.805152893 CET	192.168.2.5	1.1.1.1	0x86be	Standard query (0)	pf.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:00.805681944 CET	192.168.2.5	1.1.1.1	0xb0e3	Standard query (0)	pf.toggle.com	65	IN (0x0001)	false
Mar 14, 2025 03:16:00.855663061 CET	192.168.2.5	1.1.1.1	0xc58	Standard query (0)	pf.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:25.600832939 CET	192.168.2.5	1.1.1.1	0xaad3	Standard query (0)	beacons.gcp.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:25.601433992 CET	192.168.2.5	1.1.1.1	0x3f4d	Standard query (0)	beacons.gcp.gvt2.com	65	IN (0x0001)	false
Mar 14, 2025 03:16:26.617157936 CET	192.168.2.5	1.1.1.1	0xe56d	Standard query (0)	beacons.gcp.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:26.617387056 CET	192.168.2.5	1.1.1.1	0x39b8	Standard query (0)	beacons.gcp.gvt2.com	65	IN (0x0001)	false
Mar 14, 2025 03:16:28.649167061 CET	192.168.2.5	1.1.1.1	0xe922	Standard query (0)	beacons.gcp.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:29.648024082 CET	192.168.2.5	1.1.1.1	0xe922	Standard query (0)	beacons.gcp.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:30.648092985 CET	192.168.2.5	1.1.1.1	0xe922	Standard query (0)	beacons.gcp.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:32.648684978 CET	192.168.2.5	1.1.1.1	0xe922	Standard query (0)	beacons.gcp.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:35.073980093 CET	192.168.2.5	1.1.1.1	0x1d1d	Standard query (0)	pf.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:36.649220943 CET	192.168.2.5	1.1.1.1	0xe922	Standard query (0)	beacons.gcp.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:40.996323109 CET	192.168.2.5	1.1.1.1	0x2e4a	Standard query (0)	beacons.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:40.996464968 CET	192.168.2.5	1.1.1.1	0xf807	Standard query (0)	beacons.gvt2.com	65	IN (0x0001)	false
Mar 14, 2025 03:16:42.008470058 CET	192.168.2.5	1.1.1.1	0x8f93	Standard query (0)	beacons.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:44.040020943 CET	192.168.2.5	1.1.1.1	0xf22e	Standard query (0)	beacons.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:45.046279907 CET	192.168.2.5	1.1.1.1	0xf22e	Standard query (0)	beacons.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:46.055119038 CET	192.168.2.5	1.1.1.1	0xf22e	Standard query (0)	beacons.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:48.054909945 CET	192.168.2.5	1.1.1.1	0xf22e	Standard query (0)	beacons.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:52.060384989 CET	192.168.2.5	1.1.1.1	0xf22e	Standard query (0)	beacons.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:56.070322037 CET	192.168.2.5	1.1.1.1	0x27d4	Standard query (0)	pf.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:56.996674061 CET	192.168.2.5	1.1.1.1	0xa0dc	Standard query (0)	beacons2.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:56.996831894 CET	192.168.2.5	1.1.1.1	0xe507	Standard query (0)	beacons2.gvt2.com	65	IN (0x0001)	false
Mar 14, 2025 03:16:58.034878016 CET	192.168.2.5	1.1.1.1	0x4395	Standard query (0)	beacons2.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:00.070868015 CET	192.168.2.5	1.1.1.1	0xbbd4	Standard query (0)	beacons2.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:00.999180079 CET	192.168.2.5	1.1.1.1	0xb636	Standard query (0)	pf.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:00.999377012 CET	192.168.2.5	1.1.1.1	0xfd17	Standard query (0)	pf.toggle.com	65	IN (0x0001)	false
Mar 14, 2025 03:17:01.072144985 CET	192.168.2.5	1.1.1.1	0xbbd4	Standard query (0)	beacons2.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:01.149990082 CET	192.168.2.5	1.1.1.1	0x12a5	Standard query (0)	pf.toggle.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:02.086262941 CET	192.168.2.5	1.1.1.1	0xbbd4	Standard query (0)	beacons2.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:04.101401091 CET	192.168.2.5	1.1.1.1	0xbbd4	Standard query (0)	beacons2.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:08.101166964 CET	192.168.2.5	1.1.1.1	0xbbd4	Standard query (0)	beacons2.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:12.996423960 CET	192.168.2.5	1.1.1.1	0x4e81	Standard query (0)	beacons3.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:12.996586084 CET	192.168.2.5	1.1.1.1	0xa536	Standard query (0)	beacons3.gvt2.com	65	IN (0x0001)	false
Mar 14, 2025 03:17:14.011300087 CET	192.168.2.5	1.1.1.1	0x8d48	Standard query (0)	beacons3.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:16.039084911 CET	192.168.2.5	1.1.1.1	0xfdc9	Standard query (0)	beacons3.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:17.038602114 CET	192.168.2.5	1.1.1.1	0xfdc9	Standard query (0)	beacons3.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:18.039849043 CET	192.168.2.5	1.1.1.1	0xfdc9	Standard query (0)	beacons3.gvt2.com	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:20.044713974 CET	192.168.2.5	1.1.1.1	0xfdc9	Standard query (0)	beacons3.gvt2.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 14, 2025 03:15:15.264983892 CET	1.1.1.1	192.168.2.5	0x8383	Name error (3)	download.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:20.166873932 CET	1.1.1.1	192.168.2.5	0xe4a0	Name error (3)	pf.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:21.135047913 CET	1.1.1.1	192.168.2.5	0xc14	Name error (3)	pf.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:22.887590885 CET	1.1.1.1	192.168.2.5	0x4cf8	Name error (3)	pf.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:22.958163023 CET	1.1.1.1	192.168.2.5	0xa676	Name error (3)	pf.toggle.com	none	none	65	IN (0x0001)	false
Mar 14, 2025 03:15:23.044043064 CET	1.1.1.1	192.168.2.5	0x1271	Name error (3)	pf.toggle.com	none	none	65	IN (0x0001)	false
Mar 14, 2025 03:15:23.498348951 CET	1.1.1.1	192.168.2.5	0x9747	Name error (3)	pf.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:23.536802053 CET	1.1.1.1	192.168.2.5	0xaff7	No error (0)	google.com		142.250.185.78	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:23.537969112 CET	8.8.8.8	192.168.2.5	0xb90a	No error (0)	google.com		142.251.36.78	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:25.306487083 CET	1.1.1.1	192.168.2.5	0x113e	Name error (3)	pf.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:25.322149038 CET	1.1.1.1	192.168.2.5	0x331d	Name error (3)	pf.toggle.com	none	none	65	IN (0x0001)	false
Mar 14, 2025 03:15:25.351205111 CET	1.1.1.1	192.168.2.5	0x904b	Name error (3)	pf.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:26.624716997 CET	1.1.1.1	192.168.2.5	0x59b	No error (0)	www.google.com			65	IN (0x0001)	false
Mar 14, 2025 03:15:26.625142097 CET	1.1.1.1	192.168.2.5	0xaf4c	No error (0)	www.google.com		216.58.212.164	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:30.657355070 CET	1.1.1.1	192.168.2.5	0x5755	Name error (3)	pf.toggle.com	none	none	65	IN (0x0001)	false
Mar 14, 2025 03:15:30.669070005 CET	1.1.1.1	192.168.2.5	0xed84	Name error (3)	pf.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:15:30.786345005 CET	1.1.1.1	192.168.2.5	0x7dd4	Name error (3)	pf.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:00.834919930 CET	1.1.1.1	192.168.2.5	0x86be	Name error (3)	pf.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:00.984278917 CET	1.1.1.1	192.168.2.5	0xc58	Name error (3)	pf.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:01.069494009 CET	1.1.1.1	192.168.2.5	0xb0e3	Name error (3)	pf.toggle.com	none	none	65	IN (0x0001)	false
Mar 14, 2025 03:16:25.607650042 CET	1.1.1.1	192.168.2.5	0xaad3	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 14, 2025 03:16:25.607650042 CET	1.1.1.1	192.168.2.5	0xaad3	No error (0)	beacons-handoff.gcp.gvt2.com		142.251.143.67	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:25.609020948 CET	1.1.1.1	192.168.2.5	0x3f4d	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 14, 2025 03:16:26.624516964 CET	1.1.1.1	192.168.2.5	0x39b8	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 14, 2025 03:16:26.624530077 CET	1.1.1.1	192.168.2.5	0xe56d	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 14, 2025 03:16:26.624530077 CET	1.1.1.1	192.168.2.5	0xe56d	No error (0)	beacons-handoff.gcp.gvt2.com		142.250.186.163	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:28.655793905 CET	1.1.1.1	192.168.2.5	0xe922	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 14, 2025 03:16:28.655793905 CET	1.1.1.1	192.168.2.5	0xe922	No error (0)	beacons-handoff.gcp.gvt2.com		142.251.143.67	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:29.654654026 CET	1.1.1.1	192.168.2.5	0xe922	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 14, 2025 03:16:29.654654026 CET	1.1.1.1	192.168.2.5	0xe922	No error (0)	beacons-handoff.gcp.gvt2.com		142.251.143.67	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:30.655666113 CET	1.1.1.1	192.168.2.5	0xe922	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 14, 2025 03:16:30.655666113 CET	1.1.1.1	192.168.2.5	0xe922	No error (0)	beacons-handoff.gcp.gvt2.com		142.251.143.67	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:32.655342102 CET	1.1.1.1	192.168.2.5	0xe922	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 14, 2025 03:16:32.655342102 CET	1.1.1.1	192.168.2.5	0xe922	No error (0)	beacons-handoff.gcp.gvt2.com		142.251.143.67	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:35.882735014 CET	1.1.1.1	192.168.2.5	0x1d1d	Name error (3)	pf.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:36.656953096 CET	1.1.1.1	192.168.2.5	0xe922	No error (0)	beacons.gcp.gvt2.com	beacons-handoff.gcp.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 14, 2025 03:16:36.656953096 CET	1.1.1.1	192.168.2.5	0xe922	No error (0)	beacons-handoff.gcp.gvt2.com		142.251.143.67	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:41.002969980 CET	1.1.1.1	192.168.2.5	0x2e4a	No error (0)	beacons.gvt2.com	beacons6.gvt2.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 14, 2025 03:16:41.002969980 CET	1.1.1.1	192.168.2.5	0x2e4a	No error (0)	beacons6.gvt2.com		216.58.206.35	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:42.015206099 CET	1.1.1.1	192.168.2.5	0x8f93	No error (0)	beacons.gvt2.com		142.250.180.99	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:44.046930075 CET	1.1.1.1	192.168.2.5	0xf22e	No error (0)	beacons.gvt2.com		142.251.143.35	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:45.052892923 CET	1.1.1.1	192.168.2.5	0xf22e	No error (0)	beacons.gvt2.com		142.251.143.35	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:46.062477112 CET	1.1.1.1	192.168.2.5	0xf22e	No error (0)	beacons.gvt2.com		142.251.143.35	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:48.061573029 CET	1.1.1.1	192.168.2.5	0xf22e	No error (0)	beacons.gvt2.com		142.251.143.35	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:52.067624092 CET	1.1.1.1	192.168.2.5	0xf22e	No error (0)	beacons.gvt2.com		142.251.143.35	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:56.563759089 CET	1.1.1.1	192.168.2.5	0x27d4	Name error (3)	pf.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:57.003637075 CET	1.1.1.1	192.168.2.5	0xa0dc	No error (0)	beacons2.gvt2.com		216.239.32.3	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:16:58.041868925 CET	1.1.1.1	192.168.2.5	0x4395	No error (0)	beacons2.gvt2.com		142.251.186.94	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:00.077379942 CET	1.1.1.1	192.168.2.5	0xbbd4	No error (0)	beacons2.gvt2.com		142.251.186.94	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:01.079123974 CET	1.1.1.1	192.168.2.5	0xbbd4	No error (0)	beacons2.gvt2.com		142.251.186.94	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:01.117578030 CET	1.1.1.1	192.168.2.5	0xb636	Name error (3)	pf.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:01.174298048 CET	1.1.1.1	192.168.2.5	0xfd17	Name error (3)	pf.toggle.com	none	none	65	IN (0x0001)	false
Mar 14, 2025 03:17:01.403352022 CET	1.1.1.1	192.168.2.5	0x12a5	Name error (3)	pf.toggle.com	none	none	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:02.092756987 CET	1.1.1.1	192.168.2.5	0xbbd4	No error (0)	beacons2.gvt2.com		142.251.186.94	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:04.108159065 CET	1.1.1.1	192.168.2.5	0xbbd4	No error (0)	beacons2.gvt2.com		142.251.186.94	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:08.107637882 CET	1.1.1.1	192.168.2.5	0xbbd4	No error (0)	beacons2.gvt2.com		142.251.186.94	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:13.003863096 CET	1.1.1.1	192.168.2.5	0x4e81	No error (0)	beacons3.gvt2.com		142.250.186.35	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:14.018727064 CET	1.1.1.1	192.168.2.5	0x8d48	No error (0)	beacons3.gvt2.com		142.250.185.131	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:16.045909882 CET	1.1.1.1	192.168.2.5	0xfdc9	No error (0)	beacons3.gvt2.com		142.250.184.195	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:17.045258999 CET	1.1.1.1	192.168.2.5	0xfdc9	No error (0)	beacons3.gvt2.com		142.250.184.195	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:18.046650887 CET	1.1.1.1	192.168.2.5	0xfdc9	No error (0)	beacons3.gvt2.com		142.250.184.195	A (IP address)	IN (0x0001)	false
Mar 14, 2025 03:17:20.051840067 CET	1.1.1.1	192.168.2.5	0xfdc9	No error (0)	beacons3.gvt2.com		142.250.184.195	A (IP address)	IN (0x0001)	false

Statistics

CPU Usage

• yUgCaQhCIc.exe
• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

Memory Usage

• yUgCaQhCIc.exe
• chrome.exe
• chrome.exe
• chrome.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Click to jump to process

Target ID:	0
Start time:	22:15:13
Start date:	13/03/2025
Path:	C:\Users\user\Desktop\yUgCaQhCIc.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\yUgCaQhCIc.exe"
Imagebase:	0x400000
File size:	509'160 bytes
MD5 hash:	5DA47991F8DA648663063560B0182040
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	22:15:19
Start date:	13/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --start-maximized --single-argument http://pf.toggle.com/s/2/7/27628-248567-nero-burning-rom.exe?iv=2012102621&t=1741918519
Imagebase:	0x7ff68cc40000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	2
Start time:	22:15:20
Start date:	13/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=2092 /prefetch:3
Imagebase:	0x7ff68cc40000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	3
Start time:	22:15:24
Start date:	13/03/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=printing.mojom.UnsandboxedPrintBackendHost --lang=en-US --service-sandbox-type=none --no-pre-read-main-dll --field-trial-handle=1952,i,11198765942731370173,6395002494660126068,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction --variations-seed-version=20250306-183004.429000 --mojo-platform-channel-handle=5044 /prefetch:8
Imagebase:	0x7ff68cc40000
File size:	3'388'000 bytes
MD5 hash:	E81F54E6C1129887AEA47E7D092680BF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage

Dynamic/Packed Code Coverage

Signature Coverage

Execution Coverage:	25%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.6%
Total number of Nodes:	1216
Total number of Limit Nodes:	43

Executed Functions

Function 004030FA Relevance: 72.0, APIs: 24, Strings: 17, Instructions: 270
filestringcomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403119
SetErrorMode.KERNEL32(00008001), ref: 00403124
OleInitialize.OLE32(00000000), ref: 0040312B

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

SHGetFileInfoA.SHELL32(00428F98,00000000,?,00000160,00000000,00000008), ref: 00403153

Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,Bibado Installer - Nero Burning Rom Setup,NSIS Error), ref: 00405A19

GetCommandLineA.KERNEL32(Bibado Installer - Nero Burning Rom Setup,NSIS Error), ref: 00403168
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 0040317B
CharNextA.USER32(00000000,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000020), ref: 004031A6
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403239
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040324E
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040325A
DeleteFileA.KERNEL32(1033), ref: 0040326D
ExitProcess.KERNEL32(00000000), ref: 004032E6
CoUninitialize.COMBASE(00000000), ref: 004032EB
ExitProcess.KERNEL32 ref: 0040330B
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000,00000000), ref: 00403317
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 00403323
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040332F
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403336
DeleteFileA.KERNEL32(00428B98,00428B98,?,8174224,?), ref: 00403380
CopyFileA.KERNEL32(C:\Users\user\Desktop\yUgCaQhCIc.exe,00428B98,00000001), ref: 00403394
CloseHandle.KERNEL32(00000000,00428B98,00428B98,?,00428B98,00000000), ref: 004033C1
GetCurrentProcess.KERNEL32(00000028,?,00000005,00000004,00000003), ref: 00403416
ExitWindowsEx.USER32(00000002,00000000), ref: 00403452
ExitProcess.KERNEL32 ref: 00403475

Strings

C:\Program Files (x86)\Nero Burning Rom, xrefs: 00403224, 004032BD, 0040333C, 00403345
C:\Users\user\AppData\Local\Temp\, xrefs: 0040322E, 00403233, 0040324D, 00403259, 00403316, 00403322, 0040332E, 00403335, 004033D5
8174224, xrefs: 00403353
_?=, xrefs: 00403294
Error launching installer, xrefs: 004032A3
~nsu.tmp, xrefs: 00403311
NCRC, xrefs: 004031E6
C:\Users\user\Desktop\yUgCaQhCIc.exe, xrefs: 0040338F
"C:\Users\user\Desktop\yUgCaQhCIc.exe", xrefs: 0040316E, 00403174, 0040328A
1033, xrefs: 00403268
SeShutdownPrivilege, xrefs: 00403428
Bibado Installer - Nero Burning Rom Setup, xrefs: 0040315E
", xrefs: 004031C8
C:\Users\user\Desktop, xrefs: 0040331C, 00403321, 00403344
/D=, xrefs: 004031FC
NSIS Error, xrefs: 00403159
\Temp, xrefs: 00403254

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: ExitFileProcess$DirectoryHandle$CurrentDeleteModuleWindowslstrcat$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextPathProcTempUninitializelstrcmpilstrcpyn
String ID: /D=$ _?=$"$"C:\Users\user\Desktop\yUgCaQhCIc.exe"$1033$8174224$Bibado Installer - Nero Burning Rom Setup$C:\Program Files (x86)\Nero Burning Rom$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\yUgCaQhCIc.exe$Error launching installer$NCRC$NSIS Error$SeShutdownPrivilege$\Temp$~nsu.tmp
API String ID: 553446912-4104674120
Opcode ID: 45d42ed5c4d876ad97725e9f6e03eadd888ac50b64b28f7db70aa7e7231c680b
Instruction ID: 1e9e478c3a9e7f3573a82b9cae4fcf3dc9ecc54075f91e84b1854e8c20532e3f
Opcode Fuzzy Hash: 45d42ed5c4d876ad97725e9f6e03eadd888ac50b64b28f7db70aa7e7231c680b
Instruction Fuzzy Hash: 4191D130A08344AFE7216F61AD4AB6B7E9CEB0530AF04057FF541B61D2C77C99058B6E

Function 00404EE8 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 278
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00404F47
GetDlgItem.USER32(?,000003EE), ref: 00404F56
GetClientRect.USER32(?,?), ref: 00404F93
GetSystemMetrics.USER32(00000015), ref: 00404F9B
SendMessageA.USER32(?,0000101B,00000000,00000002), ref: 00404FBC
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00404FCD
SendMessageA.USER32(?,00001001,00000000,00000110), ref: 00404FE0
SendMessageA.USER32(?,00001026,00000000,00000110), ref: 00404FEE
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405001
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405023
ShowWindow.USER32(?,00000008), ref: 00405037
GetDlgItem.USER32(?,000003EC), ref: 00405058
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405068
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 00405081
SendMessageA.USER32(00000000,00002001,00000000,00000110), ref: 0040508D
GetDlgItem.USER32(?,000003F8), ref: 00404F65

Part of subcall function 00403DF3: SendMessageA.USER32(00000028,?,00000001,00403C24), ref: 00403E01

GetDlgItem.USER32(?,000003EC), ref: 004050AA
CreateThread.KERNEL32(00000000,00000000,Function_00004E7C,00000000), ref: 004050B8
CloseHandle.KERNEL32(00000000), ref: 004050BF
ShowWindow.USER32(00000000), ref: 004050E3
ShowWindow.USER32(00030488,00000008), ref: 004050E8
ShowWindow.USER32(00000008), ref: 0040512F
SendMessageA.USER32(00030488,00001004,00000000,00000000), ref: 00405161
CreatePopupMenu.USER32 ref: 00405172
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 00405187
GetWindowRect.USER32(00030488,?), ref: 0040519A
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004051BE
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004051F9
OpenClipboard.USER32(00000000), ref: 00405209
EmptyClipboard.USER32 ref: 0040520F
GlobalAlloc.KERNEL32(00000042,?,?,?,00000000,?,00000000), ref: 00405218
GlobalLock.KERNEL32(00000000), ref: 00405222
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405236
GlobalUnlock.KERNEL32(00000000), ref: 0040524E
SetClipboardData.USER32(00000001,00000000), ref: 00405259
CloseClipboard.USER32 ref: 0040525F

Strings

{, xrefs: 0040514E

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 8c42101e40be803c13c5f71ff1e8168cbe0923005c36041f7ba334d44b22fede
Instruction ID: ecf959edf644124ae9a18d4fa2a520563b4821934e06b5e1f2851b0e4fc8d151
Opcode Fuzzy Hash: 8c42101e40be803c13c5f71ff1e8168cbe0923005c36041f7ba334d44b22fede
Instruction Fuzzy Hash: FBA14870900208BFEB219FA1DD89AAE7F79FB08355F40407AFA05AA2A0C7755E41DF59

Function 00405A2E Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 197
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00404DE2,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000), ref: 00405AD6
GetSystemDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405B51
GetWindowsDirectoryA.KERNEL32(Remove folder: ,00000400), ref: 00405B64
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405BA0
SHGetPathFromIDListA.SHELL32(00000000,Remove folder: ), ref: 00405BAE
CoTaskMemFree.OLE32(00000000), ref: 00405BB9
lstrcatA.KERNEL32(Remove folder: ,\Microsoft\Internet Explorer\Quick Launch), ref: 00405BDB
lstrlenA.KERNEL32(Remove folder: ,00000000,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00404DE2,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000), ref: 00405C2D

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00405B20
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405BD5
Remove folder: , xrefs: 00405A57, 00405B1E, 00405B3B, 00405B50, 00405B63, 00405B7F, 00405BAA, 00405BDA, 00405BE0, 00405BF8, 00405C0B, 00405C26, 00405C2C, 00405C37, 00405C61
Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\, xrefs: 00405A5F
8174224, xrefs: 00405C05

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: 8174224$Remove folder: $Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1744765625
Opcode ID: 0d14f094528aed849df2af9f937b6990b4eadfafe30509a4d4a4b34282f77478
Instruction ID: e3937826694aa96a66c9679703be47664347117baa65301e61951ea2719d1281
Opcode Fuzzy Hash: 0d14f094528aed849df2af9f937b6990b4eadfafe30509a4d4a4b34282f77478
Instruction Fuzzy Hash: DB51F331A04B05AAEF219B689C84BBF3BB4DB15314F54423BE912B62D0D27C6D42DF4E

Function 00405331 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 156
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNEL32(?,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 0040534F
lstrcatA.KERNEL32(0042AFE8,\*.*,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 00405399
lstrcatA.KERNEL32(?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 004053BA
lstrlenA.KERNEL32(?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 004053C0
FindFirstFileA.KERNEL32(0042AFE8,?,?,?,00409010,?,0042AFE8,?,00000000,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 004053D1
FindNextFileA.KERNELBASE(?,00000010,000000F2,?), ref: 00405483
FindClose.KERNEL32(?), ref: 00405494

Strings

\*.*, xrefs: 00405393
"C:\Users\user\Desktop\yUgCaQhCIc.exe", xrefs: 0040533B
C:\Users\user\AppData\Local\Temp\, xrefs: 00405331

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\yUgCaQhCIc.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3369879357
Opcode ID: 6e16baadad6b95f5c0866290d486e1e1d7ac722db6f4b6144940dcbc5fdab850
Instruction ID: 46a167c19d0f92bb62e791f7a1b0a3e0954e7dde2177130d433e16ae92940f3d
Opcode Fuzzy Hash: 6e16baadad6b95f5c0866290d486e1e1d7ac722db6f4b6144940dcbc5fdab850
Instruction Fuzzy Hash: 84510130904A5476DB21AB218C85BFF3A68DF4231AF14813BF941752D2C77C49C2DE5E

Function 00405D07 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(?,0042C030,C:\,00405623,C:\,C:\,00000000,C:\,C:\,?,?,00000000,00405345,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 00405D12
FindClose.KERNEL32(00000000), ref: 00405D1E

Strings

C:\, xrefs: 00405D07

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
Instruction ID: 6bc8dc8487d68019062fb65c0caa7a5850599756ae9c65598668cc32d68c0862
Opcode Fuzzy Hash: 0ba34ad688579e7913e3aeb04dcfdbb9c24dd4cd636fec125d72bd6057fbbed4
Instruction Fuzzy Hash: C5D0123195D5309BD31017797C0C85B7A58DF293317108A33F025F22E0D3749C519AED

Function 00405D2E Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
LoadLibraryA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D4B
GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction ID: 58781945b1ebe0d6425232f008294b0fb1b641fb0524d4e5e5734917004db801
Opcode Fuzzy Hash: 7acfb344228b968400b962badda7c36266698eee5c55508006b44164a923ef80
Instruction Fuzzy Hash: 8CE08C36A04510BBD3215B30AE08A6B73ACEEC9B41304897EF615F6251D734AC11DBBA

Function 004038EB Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403927
ShowWindow.USER32(?), ref: 00403944
DestroyWindow.USER32 ref: 00403958
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403974
GetDlgItem.USER32(?,?), ref: 00403995
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 004039A9
IsWindowEnabled.USER32(00000000), ref: 004039B0
GetDlgItem.USER32(?,00000001), ref: 00403A5E
GetDlgItem.USER32(?,00000002), ref: 00403A68
SetClassLongA.USER32(?,000000F2,?), ref: 00403A82
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403AD3
GetDlgItem.USER32(?,00000003), ref: 00403B79
ShowWindow.USER32(00000000,?), ref: 00403B9A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403BAC
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403BC7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403BDD
EnableMenuItem.USER32(00000000), ref: 00403BE4
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403BFC
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403C0F
lstrlenA.KERNEL32(00429FE0,?,00429FE0,Bibado Installer - Nero Burning Rom Setup), ref: 00403C38
SetWindowTextA.USER32(?,00429FE0), ref: 00403C47
ShowWindow.USER32(?,0000000A), ref: 00403D7B

Strings

Bibado Installer - Nero Burning Rom Setup, xrefs: 00403C29

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$CallbackDispatcherLongMenuUser$ClassDestroyEnableEnabledSystemTextlstrlen
String ID: Bibado Installer - Nero Burning Rom Setup
API String ID: 1252290697-210263014
Opcode ID: 048f0401d2d78e99a36359b8774e307136c9c010a2c2033ba7648e13957d1e12
Instruction ID: 552f9e5d3371f53337095c5be2d86efa37a563823f2766eb5c4291c6ef6876bd
Opcode Fuzzy Hash: 048f0401d2d78e99a36359b8774e307136c9c010a2c2033ba7648e13957d1e12
Instruction Fuzzy Hash: B8C1B171604204AFD721AF62ED85E2B7F6CEB44706F40053EF941B51E1C779A942DB2E

Function 00403555 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

lstrcatA.KERNEL32(1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004035C6
lstrlenA.KERNEL32(Remove folder: ,?,?,?,Remove folder: ,00000000,C:\Program Files (x86)\Nero Burning Rom,1033,00429FE0,80000001,Control Panel\Desktop\ResourceLocale,00000000,00429FE0,00000000,00000006,"C:\Users\user\Desktop\yUgCaQhCIc.exe"), ref: 0040363B
lstrcmpiA.KERNEL32(?,.exe), ref: 0040364E
GetFileAttributesA.KERNEL32(Remove folder: ), ref: 00403659
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Program Files (x86)\Nero Burning Rom), ref: 004036A2

Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977

RegisterClassA.USER32 ref: 004036E9
SystemParametersInfoA.USER32(00000030,00000000,_Nb,00000000), ref: 00403701
CreateWindowExA.USER32(00000080,?,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 0040373A
ShowWindow.USER32(00000005,00000000), ref: 00403770
LoadLibraryA.KERNEL32(RichEd20), ref: 00403781
LoadLibraryA.KERNEL32(RichEd32), ref: 0040378C
GetClassInfoA.USER32(00000000,RichEdit20A,0042E300), ref: 0040379C
GetClassInfoA.USER32(00000000,RichEdit,0042E300), ref: 004037A9
RegisterClassA.USER32(0042E300), ref: 004037B2
DialogBoxParamA.USER32(?,00000000,004038EB,00000000), ref: 004037D1

Strings

C:\Program Files (x86)\Nero Burning Rom, xrefs: 004035D5, 004035DD, 00403675, 0040367B, 0040368B
Remove folder: , xrefs: 00403609, 00403611, 0040361E, 00403668, 0040366E
Control Panel\Desktop\ResourceLocale, xrefs: 00403589
C:\Users\user\AppData\Local\Temp\, xrefs: 00403559
.exe, xrefs: 00403648
RichEd32, xrefs: 00403787
_Nb, xrefs: 004036F8, 004036FD
RichEd20, xrefs: 0040377C
RichEdit20A, xrefs: 00403794, 0040379A
"C:\Users\user\Desktop\yUgCaQhCIc.exe", xrefs: 00403561
1033, xrefs: 00403575, 004035C1
RichEdit, xrefs: 004037A3
.DEFAULT\Control Panel\International, xrefs: 004035B1

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\yUgCaQhCIc.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Program Files (x86)\Nero Burning Rom$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$Remove folder: $RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 914957316-3563394334
Opcode ID: 1461fe52c76a6e820ee1ef65736cb2314b449e2a4b5a01a29c53df08a85d2756
Instruction ID: af9374935d7a54fd1dce6881c110e57d7cc589bc1fe1380e1b33b637fa7f222c
Opcode Fuzzy Hash: 1461fe52c76a6e820ee1ef65736cb2314b449e2a4b5a01a29c53df08a85d2756
Instruction Fuzzy Hash: E161C571604204BAD220AF669D85F273EACE744759F40447FF941B22E1D779AD028B3E

Function 00402C22 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C33
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\yUgCaQhCIc.exe,00000400), ref: 00402C4F

Part of subcall function 004056E3: GetFileAttributesA.KERNEL32(00000003,00402C62,C:\Users\user\Desktop\yUgCaQhCIc.exe,80000000,00000003), ref: 004056E7
Part of subcall function 004056E3: CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709

GetFileSize.KERNEL32(00000000,00000000,00436000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yUgCaQhCIc.exe,C:\Users\user\Desktop\yUgCaQhCIc.exe,80000000,00000003), ref: 00402C9B

Strings

C:\Users\user\Desktop\yUgCaQhCIc.exe, xrefs: 00402C39, 00402C48, 00402C5C, 00402C7C
"C:\Users\user\Desktop\yUgCaQhCIc.exe", xrefs: 00402C2C
soft, xrefs: 00402D10
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402DFA
C:\Users\user\AppData\Local\Temp\, xrefs: 00402C22
Null, xrefs: 00402D19
Inst, xrefs: 00402D07
Error launching installer, xrefs: 00402C72
C:\Users\user\Desktop, xrefs: 00402C7D, 00402C82, 00402C88

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\yUgCaQhCIc.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\yUgCaQhCIc.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-2542861797
Opcode ID: 1aa0d1efbed9786f842be751fafdabbb11e6860e74167932e572fcfd279c9ed7
Instruction ID: 5cdc40c0d59b83eec34e45f83230a383a342561faf5f4e8ee161a7b3089b1b43
Opcode Fuzzy Hash: 1aa0d1efbed9786f842be751fafdabbb11e6860e74167932e572fcfd279c9ed7
Instruction Fuzzy Hash: 40512371A00214ABDB20DF61DE89B9E7BA8EF04329F10413BF905B62D1D7BC9D418B9D

Function 00401734 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,C:\Users\user\AppData\Local\Temp\,00434800,00000000,00000000,00000031), ref: 00401773
CompareFileTime.KERNEL32(-00000014,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00000000,C:\Users\user\AppData\Local\Temp\,00434800,00000000,00000000,00000031), ref: 0040179D

Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,Bibado Installer - Nero Burning Rom Setup,NSIS Error), ref: 00405A19

Part of subcall function 00404DAA: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
Part of subcall function 00404DAA: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00402FB6,00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0), ref: 00404E06
Part of subcall function 00404DAA: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\), ref: 00404E18
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00401750, 00401759, 00401766, 00401778, 00401789, 004017BF, 004017D5, 004017F3, 00401833, 004018B4, 004018BD, 004018C7, 004018D2
8174224, xrefs: 004017E8, 004017F4, 0040180C
C:\Users\user\AppData\Local\Temp\Toolbar, xrefs: 00401801, 0040181D

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: 8174224$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\Toolbar
API String ID: 1941528284-2294010849
Opcode ID: f677182cd7597cfd306baf5213bbf490efafa294cece3d8a58661fe224b296f1
Instruction ID: 2412d90e5cc6ef50ac46e2462e63b4f26081636668b1d4f665875a47291bc265
Opcode Fuzzy Hash: f677182cd7597cfd306baf5213bbf490efafa294cece3d8a58661fe224b296f1
Instruction Fuzzy Hash: 4341D831A10515BACF10BBB5DD86DAF3A69EF41328B24433BF511F11E2D67C4A418E6D

Function 00404DAA Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
lstrlenA.KERNEL32(00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00402FB6,00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0), ref: 00404E06
SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\), ref: 00404E18
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66

Strings

Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\, xrefs: 00404DCA, 00404DDC, 00404DE2, 00404E05, 00404E11

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\
API String ID: 2531174081-454612145
Opcode ID: 4c40d471567b76e324dd5d5172a32d65f1e9fb516d406fa49f56aca93204cf98
Instruction ID: 64f14355eea1465708e63b557f2fc924fecf56a011f776fb8de10cf69f9f2b8c
Opcode Fuzzy Hash: 4c40d471567b76e324dd5d5172a32d65f1e9fb516d406fa49f56aca93204cf98
Instruction Fuzzy Hash: F7216071A00118BBDB119FA9DD85ADEBFA9FF44354F14807AF904B6290C7398E418F98

Function 00402E5B Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 174
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402EC2
GetTickCount.KERNEL32 ref: 00402F69
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 00402F92
wsprintfA.USER32 ref: 00402FA2
WriteFile.KERNEL32(00000000,00000000,00000000,7FFFFFFF,00000000), ref: 00402FD0

Strings

... %d%%, xrefs: 00402F9C

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: CountTick$FileWritewsprintf
String ID: ... %d%%
API String ID: 4209647438-2449383134
Opcode ID: 787522d49fa5e6cbb185d9a46a8dfd7f8e2c103290e6532508a1672770904cea
Instruction ID: 0d39cdfb2b20f01ea0ef459ff81ac6f09524c508dd7874cbed1e127a204ff5ac
Opcode Fuzzy Hash: 787522d49fa5e6cbb185d9a46a8dfd7f8e2c103290e6532508a1672770904cea
Instruction Fuzzy Hash: 3D618D7190121AEBDF10CF65DA44A9E7BB8EF04366F10413BF800B72D4D7789A51DBAA

Function 00401F51 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 73
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 00401F7C

Part of subcall function 00404DAA: lstrlenA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000,?), ref: 00404DE3
Part of subcall function 00404DAA: lstrlenA.KERNEL32(00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0,?,?,?,?,?,?,?,?,?,00402FB6,00000000), ref: 00404DF3
Part of subcall function 00404DAA: lstrcatA.KERNEL32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00402FB6,00402FB6,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,00000000,00000000,768223A0), ref: 00404E06
Part of subcall function 00404DAA: SetWindowTextA.USER32(Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\,Remove folder: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\), ref: 00404E18
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 00404E3E
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00404E58
Part of subcall function 00404DAA: SendMessageA.USER32(?,00001013,?,00000000), ref: 00404E66

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401F8C
GetProcAddress.KERNEL32(00000000,?), ref: 00401F9C
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 00402007

Strings

8174224, xrefs: 00401FD1
B, xrefs: 00401FC7

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: 8174224$B
API String ID: 2987980305-3798258468
Opcode ID: 551f093684186f84c7c1f62f32051f5768313c863a04f8ea7071731246c8ad6e
Instruction ID: bf94c0598684f4a2e8798aed6ecd64900ad0f6fcd097f114c8a1beddd358b100
Opcode Fuzzy Hash: 551f093684186f84c7c1f62f32051f5768313c863a04f8ea7071731246c8ad6e
Instruction Fuzzy Hash: 5121EE72D04216EBCF107FA5CE49A6E75B06F45358F20433BF511B62E1C77C4941A65E

Function 00405712 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 32
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405725
GetTempFileNameA.KERNEL32(?,0061736E,00000000,?), ref: 0040573F

Strings

"C:\Users\user\Desktop\yUgCaQhCIc.exe", xrefs: 00405719
C:\Users\user\AppData\Local\Temp\, xrefs: 00405712, 00405715
nsa, xrefs: 0040571E

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\yUgCaQhCIc.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2928232156
Opcode ID: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction ID: 857343acb9398127b83b67a88284cb3acf20d602f6beb627bdaaa73bf87bc8f8
Opcode Fuzzy Hash: fc5e126f8815d4696b9f295c06fae67d9d4e63728d0dbdda5093f58b42bfadad
Instruction Fuzzy Hash: 19F0A736348204BAE7105E55DC04B9B7F99DFD1750F14C027F9449B1C0D6F099589BA9

Function 00401BAD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C0D
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C25

Strings

!, xrefs: 00401BE1

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
Instruction ID: e870f9960eb541ab862ab70d99fa676f0883abea00e9f1964bf1c40a5587cb5b
Opcode Fuzzy Hash: 5e77a80833e19dc55b8a20fadec5ab0659a97bc6c71de6bcb2193ca436d8299f
Instruction Fuzzy Hash: 3B21C4B1A44209BFEF01AFB4CE4AAAE7B75EF40344F14053EF602B60D1D6B84980E718

Function 004015B3 Relevance: 6.1, APIs: 4, Instructions: 55
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405593: CharNextA.USER32(ES@,?,C:\,00000000,004055F7,C:\,C:\,?,?,00000000,00405345,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 004055A1
Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055A6
Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055B5

CreateDirectoryA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNEL32(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNEL32(00000000,00434800,00000000,00000000,000000F0), ref: 00401622

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID:
API String ID: 3751793516-0
Opcode ID: e9d59eda693b922a5fdb80184fc3babb31ba0cd8e1a3062a527ae998bf2baf8a
Instruction ID: bf1eb0eabc3c1df6ff2fb323ed3efcd7168262dea338722757ad05095e7f5395
Opcode Fuzzy Hash: e9d59eda693b922a5fdb80184fc3babb31ba0cd8e1a3062a527ae998bf2baf8a
Instruction Fuzzy Hash: AB012631908180AFDB217F756D449BF6BB0EA56365728073FF492B22E2C23C4D42962E

Function 004055E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405A0C: lstrcpynA.KERNEL32(?,?,00000400,00403168,Bibado Installer - Nero Burning Rom Setup,NSIS Error), ref: 00405A19

Part of subcall function 00405593: CharNextA.USER32(ES@,?,C:\,00000000,004055F7,C:\,C:\,?,?,00000000,00405345,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 004055A1
Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055A6
Part of subcall function 00405593: CharNextA.USER32(00000000), ref: 004055B5

lstrlenA.KERNEL32(C:\,00000000,C:\,C:\,?,?,00000000,00405345,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 00405633
GetFileAttributesA.KERNEL32(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,00000000,00405345,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 00405643

Strings

C:\, xrefs: 004055E6, 004055EB, 004055F1, 0040562C, 00405632, 0040563A, 00405642

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\
API String ID: 3248276644-3404278061
Opcode ID: da87c44caba5ef5b47b3dfc23c9f89bee904d632c2bc274008544d1b26360f61
Instruction ID: cbb7be82a93a6dd192d11d13e0df5a6c8cbb76871d8c278764bccb9a445afede
Opcode Fuzzy Hash: da87c44caba5ef5b47b3dfc23c9f89bee904d632c2bc274008544d1b26360f61
Instruction Fuzzy Hash: B5F02825205D6132D622363A1C49BAF1A56CD833247980D3BF854B12C6DB3D8943EE6E

Function 004030C6 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405C6E: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
Part of subcall function 00405C6E: CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
Part of subcall function 00405C6E: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
Part of subcall function 00405C6E: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8

CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 004030E7

Strings

1033, xrefs: 004030EE
C:\Users\user\AppData\Local\Temp\, xrefs: 004030C7, 004030CC, 004030D2, 004030DE, 004030E6, 004030ED

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-2030658151
Opcode ID: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
Instruction ID: 7f1b43601f0a10077d0081c2ba5ec5825ac71a1bded9547d22d949ebda8a6a9f
Opcode Fuzzy Hash: 9fc94c8ce289ceace51d82d7694160c71b26e7ee5232ad3accb455f1d4d4e313
Instruction Fuzzy Hash: B6D0922150AD3031D651322A3E06BCF154D8F4636AF65807BF944B608A4A6C2A825AEE

Function 004034C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000,00000000,00403498,004032EB,00000000), ref: 004034DA
GlobalFree.KERNEL32(00000000), ref: 004034E1

Strings

"C:\Users\user\Desktop\yUgCaQhCIc.exe", xrefs: 004034D2

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: "C:\Users\user\Desktop\yUgCaQhCIc.exe"
API String ID: 1100898210-1484012235
Opcode ID: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
Instruction ID: a7ab284cabc648ba81e11ba063b903b3b671d5f7e61a69f5101281db245b6d62
Opcode Fuzzy Hash: 46acf84ebda6383aa3704241e203cd439e3c816428f1e63aa7a51627b246d5e2
Instruction Fuzzy Hash: E1E08C329110209BD6221F05AE0575A7B6D6B44B32F02802AE9407B2A087746C424BDD

Function 00401B06 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(007B7810), ref: 00401B75
GlobalAlloc.KERNEL32(00000040,00000404), ref: 00401B87

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00401B2D, 00401B33, 00401B4D

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Global$AllocFree
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3394109436-823278215
Opcode ID: 0f8e336cfa202ebd74b4841c9e5fcfc62dd7a51da43063299facde2bddfebbd9
Instruction ID: 02e27a443d0c975bd2d35078e55c9ecbb47b75263e9a7029776e4410220f8425
Opcode Fuzzy Hash: 0f8e336cfa202ebd74b4841c9e5fcfc62dd7a51da43063299facde2bddfebbd9
Instruction Fuzzy Hash: C821C3B67002029BC710EB94DEC595F73A8EB84368724463BF502F32D0DB78AC019B5E

Function 004058F3 Relevance: 4.5, APIs: 3, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNEL32(80000002,00405B2F,00000000,00000002,?,00000002,0036A419,?,00405B2F,80000002,Software\Microsoft\Windows\CurrentVersion,0036A419,Remove folder: ,00798FB1), ref: 0040591C
RegQueryValueExA.KERNEL32(0036A419,?,00000000,00405B2F,0036A419,00405B2F), ref: 0040593D
RegCloseKey.KERNEL32(?), ref: 0040595E

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
Instruction ID: 7f29002dde4dac3a19eb3905e2141cfc53fc6fe5580d4c3066aa5286193c6294
Opcode Fuzzy Hash: 20ca1dc64cf80f35bde4a5a459f169022cfe0f17446037da1f5ac97088a586f8
Instruction Fuzzy Hash: 16015AB104020AEFDF128F64EC44AEB3FACEF153A4F004436F954E6220D235D968DBA5

Function 00402267 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,!N~,?,000003FF,00000000), ref: 00402297

Strings

!N~, xrefs: 0040228E, 00402292

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: PrivateProfileString
String ID: !N~
API String ID: 1096422788-529124213
Opcode ID: 83959307df37686c86d75e4de7286cd2fa4b3ebc5ce89ae33a3a58613c6f73fc
Instruction ID: 21cd7503a9a85725414fd2f210def48a3ed87e9b9f52c0cacc02f36f79452d1c
Opcode Fuzzy Hash: 83959307df37686c86d75e4de7286cd2fa4b3ebc5ce89ae33a3a58613c6f73fc
Instruction Fuzzy Hash: E4E04F71900208BBDB50AFA1CD49DAE3AA8BF043C4F100129FA10AB1C1DBB89541AB55

Function 00403D97 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000408,?,00000000,004039F9), ref: 00403DB5

Strings

x, xrefs: 00403D97

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: MessageSend
String ID: x
API String ID: 3850602802-2363233923
Opcode ID: 2297d9a5740f239e563778608566daf4408a5e1d57364abcd084643e47e82489
Instruction ID: ab0c8c299765955ccbfa59721f842daf732f2f91f0a416ba9cb054cc648477c1
Opcode Fuzzy Hash: 2297d9a5740f239e563778608566daf4408a5e1d57364abcd084643e47e82489
Instruction Fuzzy Hash: 4FC01271A84201EADA209B02DE00B06BA71EBA4702F508039F385200B186706822DB0D

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
Instruction ID: 8223ec958efd2c964e321ebce6dca8e406ed2778dd364e0d2667d4e2a9ef0db3
Opcode Fuzzy Hash: cf7b3020d7635a73a7f034f7f9c2b240c5e2222d46fcf66a2415134205071e91
Instruction Fuzzy Hash: FE01F4317242109BE7299B799D04B6A36D8E710325F14453FF955F72F1D678DC028B4D

Function 00402866 Relevance: 3.0, APIs: 2, Instructions: 21windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000000B,?), ref: 00402875
InvalidateRect.USER32(?), ref: 00402885

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: InvalidateMessageRectSend
String ID:
API String ID: 909852535-0
Opcode ID: a5f93ca787052cb85bb993d16fb5bfc88cd44bd4415a14ef171f869fd08a24a6
Instruction ID: 5d37e61976acf5bdbec0b869d18ae9d7eae5027ec9d1abcfdb12a567b3c3e37f
Opcode Fuzzy Hash: a5f93ca787052cb85bb993d16fb5bfc88cd44bd4415a14ef171f869fd08a24a6
Instruction Fuzzy Hash: 7AE08CB2B40104AFEB10DB94EE85DAE7BBAEB40349B14007AF602F0060D2341D10CA28

Function 00401D95 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DAB
EnableWindow.USER32(00000000,00000000), ref: 00401DB6

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: bec9b1a9a5822b1f3694e8d3d7e5bfeccac05f90ba014232035f8450c8442d81
Instruction ID: 9da135c70202b86661629657fe57a258e31507742a425f579c1fc233a54c13c2
Opcode Fuzzy Hash: bec9b1a9a5822b1f3694e8d3d7e5bfeccac05f90ba014232035f8450c8442d81
Instruction Fuzzy Hash: 62E0CD72B08110DBD710F7B45D8995D3664DB40369B10453BF503F50C1D2789C4196EE

Function 004056E3 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(00000003,00402C62,C:\Users\user\Desktop\yUgCaQhCIc.exe,80000000,00000003), ref: 004056E7
CreateFileA.KERNEL32(?,?,00000001,00000000,?,00000001,00000000), ref: 00405709

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction ID: 518821d5ca0a74227a37217cadb520a33af9faec79942caa6648154b48e23ab6
Opcode Fuzzy Hash: f96d5d8e90d761c4e0dddf78ec48930a46771e4615b27f2c581d09f506512028
Instruction Fuzzy Hash: DDD09E71658301AFEF098F20DE1AF2E7AA2EB84B01F10962CB646940E0D6715C15DB16

Function 0040347B Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,004032EB,00000000), ref: 00403486

Strings

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\, xrefs: 0040349A

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\
API String ID: 2962429428-3446665066
Opcode ID: 31f78a86cd46fd7a0018bd77bfa4d4c204eb943dc09def5fdfba012cb08fa724
Instruction ID: dd629d7ffa80b2531d7668e5a1a305395e4adc4893f6b58610a8e469f8d50dee
Opcode Fuzzy Hash: 31f78a86cd46fd7a0018bd77bfa4d4c204eb943dc09def5fdfba012cb08fa724
Instruction Fuzzy Hash: F8C01230504600E6D2246F759E0A6093A18574173AB904336B179B50F1C77C5901453E

Function 004056C4 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNEL32(?,004054CF,?,?,?), ref: 004056C8
SetFileAttributesA.KERNEL32(?,00000000), ref: 004056DA

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction ID: 8174f72b6c2f00669cb3d5f93c0fb6c6646d93779de37800628d5af5c47e1667
Opcode Fuzzy Hash: 499c41a265c8c72c251eb99c81a2d8ea197c0ca55525d81af5d9f53b6a62e1c9
Instruction Fuzzy Hash: C7C002B1808501AAD6015B24DF0D81E7A66EB50361B508F25F569A00F0C7355866DA1A

Function 00401DC1 Relevance: 1.5, APIs: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(?,00000000,00000000,00000000,00434800,?), ref: 00401E07

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: ExecuteShell
String ID:
API String ID: 587946157-0
Opcode ID: f69e8e64304c582337ff86cae38ef711e2aa22c260cbe21d960f4165b9c65205
Instruction ID: 1d9e37e4724715ff8eb4cd61c52570f4e17590a8471f76494d0d603f05069ab9
Opcode Fuzzy Hash: f69e8e64304c582337ff86cae38ef711e2aa22c260cbe21d960f4165b9c65205
Instruction Fuzzy Hash: C3F04C73B04301AACB50AFB19D4AE5E3BA8AB41398F200637F510F70C1D9FC8801B318

Function 00402223 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 0040225C

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: b6116c209c80720ea8c5b66b32d343bdc214f8bf2523826a10554ae8e2aaa3ef
Instruction ID: 7f0f3d0bfb11d3a69440f7e30d7772d63b8707f304f836d716d69bda9ce5b450
Opcode Fuzzy Hash: b6116c209c80720ea8c5b66b32d343bdc214f8bf2523826a10554ae8e2aaa3ef
Instruction Fuzzy Hash: 31E04871F002656BDBA07AF14F8D97F115C7B84344F14027EBA15762C6E9BC4D416169

Function 0040307D Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(00000000,00000000,00000000,00000000,000000FF,?,00402EAA,000000FF,00000004,00000000,00000000,00000000), ref: 00403094

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction ID: 43e3c0ed55451ca58d66c179b0d5cd373ba627774d09ad719adf1b780fd88a5d
Opcode Fuzzy Hash: 728267699a9b44ddad9e6e694247195ab13049bac6004c2e56fc09e99b3f0f19
Instruction Fuzzy Hash: F0E08631101119BBCF105E61AC00A9B3F9CEB05362F00C032FA04E5190D538DA14DBA5

Function 00403DBE Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetDlgItemTextA.USER32(?,?,00000000), ref: 00403DD8

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 127803520696b4f43e8fc6f5d9bd0ca07d8143994230ac30ebc5eaf9d6967234
Instruction ID: 1da1af2c7098a7a5c47cb9e65cfb44b89bee0289569f32b065f15b06c39939a7
Opcode Fuzzy Hash: 127803520696b4f43e8fc6f5d9bd0ca07d8143994230ac30ebc5eaf9d6967234
Instruction Fuzzy Hash: 79C04C79248604BFD641A759DC42F1FB79DEF94315F00C52EB19CE11D1C63984209E26

Function 00403E0A Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(0002047E,00000000,00000000,00000000), ref: 00403E1C

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c5061dae57279ed18d5e0219b0993123e9bb10419d0af8d34ddcf4ee1c6729a0
Instruction ID: 4a69275ab6afdcc9dd23c2635c3fa87663c4bda3d9f509ac91b66b343a6ea2c2
Opcode Fuzzy Hash: c5061dae57279ed18d5e0219b0993123e9bb10419d0af8d34ddcf4ee1c6729a0
Instruction Fuzzy Hash: 0FC04C717443016AEA20DB51DE45F0777589754B01F548465B604A50D0C674E410D65D

Function 00403DF3 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403C24), ref: 00403E01

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: acb417c3046c5230bf261fb3a85c5b045a6b8022903fbd0a553d80ffe77ce434
Instruction ID: d5eec3387bf9f2af87c3deac1be3c081a68759b5cbc5052c90a1cd046c0f3978
Opcode Fuzzy Hash: acb417c3046c5230bf261fb3a85c5b045a6b8022903fbd0a553d80ffe77ce434
Instruction Fuzzy Hash: BCB01275BC4201FBEE219B01DE09F457E62E764701F008074B305240F0C6B210A1DF0D

Function 004030AF Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00000000,00000000,00000000,00402DE9,0000BBE4), ref: 004030BD

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction ID: eafd0aff1283cdec3023edec91852d87283cefa69c9b21bce59c6677f93a42a7
Opcode Fuzzy Hash: 2028dafccfaa88a297be93e7ba1f52e009ec02dcd94d5fd44c1761bf2bffe23e
Instruction Fuzzy Hash: 14B01271644200BFDB214F00DF06F057B21A790701F108030B344380F082712420EB1E

Function 00403DE0 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403BBD), ref: 00403DEA

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: e3f2ba33d58efc8432ae633466a552196efcc3252a2fe2007ece747084bac9c6
Instruction ID: 5393fb3fd4ec66336373a3cea7bd514d8462fd9d014250aae94180e38f4c2131
Opcode Fuzzy Hash: e3f2ba33d58efc8432ae633466a552196efcc3252a2fe2007ece747084bac9c6
Instruction Fuzzy Hash: AFA002755051009BCA515B50DF048457A61A754701B458475F1459017487315861EB6A

Non-executed Functions

Function 004046F9 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 478windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404710
GetDlgItem.USER32(?,00000408), ref: 0040471D
GlobalAlloc.KERNEL32(00000040,00000002), ref: 00404769
LoadBitmapA.USER32(0000006E), ref: 0040477C
SetWindowLongA.USER32(?,000000FC,00404CFA), ref: 00404796
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004047AA
ImageList_AddMasked.COMCTL32(00000000,?,00FF00FF), ref: 004047BE
SendMessageA.USER32(?,00001109,00000002), ref: 004047D3
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 004047DF
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 004047F1
DeleteObject.GDI32(?), ref: 004047F6
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404821
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 0040482D
SendMessageA.USER32(?,00001100,00000000,?), ref: 004048C2
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 004048ED
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404901
GetWindowLongA.USER32(?,000000F0), ref: 00404930
SetWindowLongA.USER32(?,000000F0,00000000), ref: 0040493E
ShowWindow.USER32(?,00000005), ref: 0040494F
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404A52
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404AB7
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404ACC
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404AF0
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404B16
ImageList_Destroy.COMCTL32(00000000), ref: 00404B2B
GlobalFree.KERNEL32(00000000), ref: 00404B3B
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404BAB
SendMessageA.USER32(?,00001102,00000410,?), ref: 00404C54
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404C63
InvalidateRect.USER32(?,00000000,00000001), ref: 00404C83
ShowWindow.USER32(?,00000000), ref: 00404CD1
GetDlgItem.USER32(?,000003FE), ref: 00404CDC
ShowWindow.USER32(00000000), ref: 00404CE3

Strings

N, xrefs: 0040498D
, xrefs: 00404CBB
M, xrefs: 004048A9

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 59eb1809f78b2e22b71ab630a4b4117a288a05a336703e358dd51402bec2e6c3
Instruction ID: 30a51c26aaa2b30bd696497e7e47c5adc9155ce2862f65cc436e234c57937e2f
Opcode Fuzzy Hash: 59eb1809f78b2e22b71ab630a4b4117a288a05a336703e358dd51402bec2e6c3
Instruction Fuzzy Hash: D402AFB0A00208AFDB20DF55DD45AAE7BB5FB84314F10817AF611BA2E1D7799E42CF58

Function 004041FC Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 266stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404248
SetWindowTextA.USER32(?,?), ref: 00404275
SHBrowseForFolderA.SHELL32(?,004293B0,?), ref: 0040432A
CoTaskMemFree.OLE32(00000000), ref: 00404335
lstrcmpiA.KERNEL32(Remove folder: ,00429FE0), ref: 00404367
lstrcatA.KERNEL32(?,Remove folder: ), ref: 00404373
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404383

Part of subcall function 004052B1: GetDlgItemTextA.USER32(?,?,00000400,004043B6), ref: 004052C4

Part of subcall function 00405C6E: CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
Part of subcall function 00405C6E: CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
Part of subcall function 00405C6E: CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
Part of subcall function 00405C6E: CharPrevA.USER32(?,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8

GetDiskFreeSpaceA.KERNEL32(00428FA8,?,?,0000040F,?,00428FA8,00428FA8,?,00000000,00428FA8,?,?,000003FB,?), ref: 0040443C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404457
SetDlgItemTextA.USER32(00000000,00000400,00428F98), ref: 004044D0

Strings

C:\Program Files (x86)\Nero Burning Rom, xrefs: 00404350
Remove folder: , xrefs: 00404361, 00404366, 00404371
A, xrefs: 00404323
8174224, xrefs: 00404215

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: 8174224$A$C:\Program Files (x86)\Nero Burning Rom$Remove folder:
API String ID: 2246997448-946158102
Opcode ID: ff348560b6faec50659af313b3d2a2111afe001c507a4e4cf48385b70e4cb693
Instruction ID: 52dfe11e264a0fce323933678d720eed1997f61c196974170264a293bd140da1
Opcode Fuzzy Hash: ff348560b6faec50659af313b3d2a2111afe001c507a4e4cf48385b70e4cb693
Instruction Fuzzy Hash: 19915FB1A00219ABDF11AFA1CC85AAF7BB8EF84315F10407BFA00B6291D77C99418F59

Function 00402020 Relevance: 3.1, APIs: 2, Instructions: 134comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407490,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402073
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,00409378,00000400,?,00000001,00407480,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040212D

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID:
API String ID: 123533781-0
Opcode ID: 68441b76e02daf5c94a04c817994d866479800aff39ed8a12ba88c5297dbe799
Instruction ID: ee874f8c2dec57c4877f78095a0f9dac743c80c93ea62094aeb2a8065092a27c
Opcode Fuzzy Hash: 68441b76e02daf5c94a04c817994d866479800aff39ed8a12ba88c5297dbe799
Instruction Fuzzy Hash: 07417D75A00205BFCB40DFA4CD88E9E7BBABF48354B204269FA15FB2D1CA799D41CB54

Function 0040263E Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040264D

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 5ec8cfe3ecd6d47a33181b223f4745e968f2e88ce0dfbd25e8ae3887cda06d2f
Instruction ID: c4edc1118dc91e0c9440d01bfde8b8f2caf312925950fbc99ec99334c7621aa2
Opcode Fuzzy Hash: 5ec8cfe3ecd6d47a33181b223f4745e968f2e88ce0dfbd25e8ae3887cda06d2f
Instruction Fuzzy Hash: E3F0E572648101DFD700EBB49D49AEEB768DF51328FA007BBF502F20C1C2B84945DB2A

Function 00406128 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2605cf98d0f5e4d904242d25cd3a4b56aad5cd8bbaf3b06cd26a7c18d89d64d
Instruction ID: 671146196c1174ec618cbc22bbed2adbdbe1d7b4d249fb8fe9215707769dedfe
Opcode Fuzzy Hash: c2605cf98d0f5e4d904242d25cd3a4b56aad5cd8bbaf3b06cd26a7c18d89d64d
Instruction Fuzzy Hash: 3FE16971901B09DFDB24CF58C880BAABBF5EB44305F15852EE897A72D1D378AA51CF44

Function 004068FF Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b751e5aff08849ce342a749075ab7f0bf0a9efd73ac853bc595c300a3c4f69bb
Instruction ID: ce73a9d55fc041a401e528a6b0bed7c2fc314d3430b7e91baefc2d4226deaab1
Opcode Fuzzy Hash: b751e5aff08849ce342a749075ab7f0bf0a9efd73ac853bc595c300a3c4f69bb
Instruction Fuzzy Hash: 51C13A71A002698BDF14CF68C4905EEB7B2FF99314F26827AD856B7380D7346952CF94

Function 00403F06 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00403F91
GetDlgItem.USER32(00000000,000003E8), ref: 00403FA5
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00403FC3
GetSysColor.USER32(?), ref: 00403FD4
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00403FE3
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00403FF2
lstrlenA.KERNEL32(?), ref: 00403FFC
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 0040400A
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404019
GetDlgItem.USER32(?,0000040A), ref: 0040407C
SendMessageA.USER32(00000000), ref: 0040407F
GetDlgItem.USER32(?,000003E8), ref: 004040AA
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 004040EA
LoadCursorA.USER32(00000000,00007F02), ref: 004040F9
SetCursor.USER32(00000000), ref: 00404102
ShellExecuteA.SHELL32(0000070B,open,0042DB00,00000000,00000000,00000001), ref: 00404115
LoadCursorA.USER32(00000000,00007F00), ref: 00404122
SetCursor.USER32(00000000), ref: 00404125
SendMessageA.USER32(00000111,00000001,00000000), ref: 00404151
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404165

Strings

Remove folder: , xrefs: 004040D5
N, xrefs: 00404098
open, xrefs: 0040410D

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: N$Remove folder: $open
API String ID: 3615053054-3278287247
Opcode ID: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
Instruction ID: 0605a8af88f24b8a239437e517aaa265f180be2417519ff34b25117700073a86
Opcode Fuzzy Hash: ca9ac3b64147b6f3934cc3f9d65700a8f1bf1296ace46b7c3bfa8303cb2a33ee
Instruction Fuzzy Hash: D161C1B1A40209BBEB109F60DD45F6A3B69FF54715F108036FB01BA2D1C7B8A991CF98

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,?), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Bibado Installer - Nero Burning Rom Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Bibado Installer - Nero Burning Rom Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: Bibado Installer - Nero Burning Rom Setup$F
API String ID: 941294808-3675506530
Opcode ID: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
Instruction ID: 226a36137513f208ef2a020474f107b038e547e09bed9ebbc09fe29577f91b00
Opcode Fuzzy Hash: 3029600e7a8438bcc5a7b1f7b0fc9c629607e2b31f65c15310fafe19c7710355
Instruction Fuzzy Hash: C0419B71804249AFCF058FA5CD459BFBFB9FF44314F00812AF952AA1A0C738AA51DFA5

Function 0040575A Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 144filememoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00405D2E: GetModuleHandleA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D40
Part of subcall function 00405D2E: LoadLibraryA.KERNEL32(?,?,00000000,0040313D,00000008), ref: 00405D4B
Part of subcall function 00405D2E: GetProcAddress.KERNEL32(00000000,?), ref: 00405D5C

CloseHandle.KERNEL32(00000000,?,00000000,00000001,00000001,?,00000000,?,?,004054EF,?,00000000,000000F1,?), ref: 004057A7
GetShortPathNameA.KERNEL32(?,0042C170,00000400), ref: 004057B0
GetShortPathNameA.KERNEL32(00000000,0042BBE8,00000400), ref: 004057CD
wsprintfA.USER32 ref: 004057EB
GetFileSize.KERNEL32(00000000,00000000,0042BBE8,C0000000,00000004,0042BBE8,?,?,?,00000000,000000F1,?), ref: 00405826
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,00000000,000000F1,?), ref: 00405835
ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,?,?,00000000,000000F1,?), ref: 0040584B
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,?,0042B7E8,00000000,-0000000A,00409330,00000000,[Rename],?,?,00000000,000000F1,?), ref: 00405891
WriteFile.KERNEL32(00000000,00000000,?,?,00000000,?,?,00000000,000000F1,?), ref: 004058A3
GlobalFree.KERNEL32(00000000), ref: 004058AA
CloseHandle.KERNEL32(00000000,?,?,00000000,000000F1,?), ref: 004058B1

Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
Part of subcall function 00405658: lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F

Strings

%s=%s, xrefs: 004057E1
[Rename], xrefs: 0040585B, 0040586D

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: File$Handle$CloseGlobalNamePathShortlstrlen$AddressAllocFreeLibraryLoadModulePointerProcReadSizeWritewsprintf
String ID: %s=%s$[Rename]
API String ID: 3772915668-1727408572
Opcode ID: dff5e8461f90d0a7b08308301f80b1547d188907f97dbbe474557014f1802e0f
Instruction ID: 426fb2abaf3c2c6495405564ff4e517f65c757b77f6bed08917e1be6c8ffeb7f
Opcode Fuzzy Hash: dff5e8461f90d0a7b08308301f80b1547d188907f97dbbe474557014f1802e0f
Instruction Fuzzy Hash: 6341FF32606B15ABE3206B619C49F6B3A5CDF80705F004436FD05F62C2E678E8118EBD

Function 00405C6E Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CC6
CharNextA.USER32(?,?,?,00000000), ref: 00405CD3
CharNextA.USER32(?,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CD8
CharPrevA.USER32(?,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",C:\Users\user\AppData\Local\Temp\,00000000,004030D2,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405CE8

Strings

"C:\Users\user\Desktop\yUgCaQhCIc.exe", xrefs: 00405C74
*?|<>/":, xrefs: 00405CB6
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C6F, 00405CAA

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\yUgCaQhCIc.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1722615944
Opcode ID: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction ID: 3b67653c5ee308ebbdbeafcda2e7905df7fa5ba98b11233f7c0ae47683edab57
Opcode Fuzzy Hash: 5aa71b13a4eda0142438c40892e2bf660e792717ed83394db4a483eb7dc85cb7
Instruction Fuzzy Hash: 0811905180CB912EFB3206245D44BB7BF89CB567A0F58447BE9C5B22C2CA7C5C429A6D

Function 00403E25 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00403E42
GetSysColor.USER32(00000000), ref: 00403E5E
SetTextColor.GDI32(?,00000000), ref: 00403E6A
SetBkMode.GDI32(?,?), ref: 00403E76
GetSysColor.USER32(?), ref: 00403E89
SetBkColor.GDI32(?,?), ref: 00403E99
DeleteObject.GDI32(?), ref: 00403EB3
CreateBrushIndirect.GDI32(?), ref: 00403EBD

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction ID: df06335cf3b4afc37a3544ae2d30c5d34a8579c70edf0d6bae8496df32602c64
Opcode Fuzzy Hash: 54c4c26d0880f537c7164b4e2121e342b47f232b14c6c2566c024284623f766e
Instruction Fuzzy Hash: DC219671904709ABCB219F78DD08B4B7FF8AF00715F048A29F855E22E0D338E904CB95

Function 0040267C Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,0000BC00,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D0
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026EC
GlobalFree.KERNEL32(?), ref: 00402725
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 00402737
GlobalFree.KERNEL32(00000000), ref: 0040273E
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 00402756
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 0040276A

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 127149d4f0cce16dfe4a3af1efdcab4b76b2a353eb8979ce4d539156ac24bc73
Instruction ID: 62f2159171fbc9033078dd1539b67ba065abfcd1800d5973976be9d0b9eda31e
Opcode Fuzzy Hash: 127149d4f0cce16dfe4a3af1efdcab4b76b2a353eb8979ce4d539156ac24bc73
Instruction Fuzzy Hash: DE319F71C00128BBDF216FA5CD89EAE7E78EF04364F10422AF524772E0C7795D419BA9

Function 00404679 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404694
GetMessagePos.USER32 ref: 0040469C
ScreenToClient.USER32(?,?), ref: 004046B6
SendMessageA.USER32(?,00001111,00000000,?), ref: 004046C8
SendMessageA.USER32(?,0000110C,00000000,?), ref: 004046EE

Strings

f, xrefs: 004046CA

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction ID: b5388fb2048f9adb4f66bcd81e9da03b2d8faafec29f08353259a6dacb87349b
Opcode Fuzzy Hash: 2a5698d5089c35727aab5c3c5da7bcfb0b51a0b1d2cb1bbeaafe9db8233e3477
Instruction Fuzzy Hash: 0E014071D00219BADB00DB94DC45BEEBBB8AB59711F10016ABA11B61C0D7B865418BA5

Function 00402B3B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B56
MulDiv.KERNEL32(0007B546,00000064,0007C4E8), ref: 00402B81
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3

Strings

verifying installer: %d%%, xrefs: 00402B8B

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: fb9d5c419c19e2bdb6c378f6819b1ebc1dc21d5e7d0f0b4f2b85ce684f360012
Instruction ID: 3d98ddf4d84b742d5460afe4edfb6d9be597fa80bf04213b3bc288f28cb5f5da
Opcode Fuzzy Hash: fb9d5c419c19e2bdb6c378f6819b1ebc1dc21d5e7d0f0b4f2b85ce684f360012
Instruction Fuzzy Hash: 82014470A40209ABDB209F60DD09FAE3779BB04345F008039FA06A92D1D7B8AA558F99

Function 00402A36 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00402A57
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A93
RegCloseKey.ADVAPI32(?), ref: 00402A9C
RegCloseKey.ADVAPI32(?), ref: 00402AC1
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402ADF

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
Instruction ID: 324dab2b24170647655e9dcbeda369d8ff673eed47d89bab0de13a8960c84090
Opcode Fuzzy Hash: b26b43b9b7666f40e9fdb218fe96b22a79156d573bb7d5cc257a1d138f5a7564
Instruction Fuzzy Hash: 4F115675A00008FFEF31AF91DE49DAB7B6DEB40384B104436FA05B10A0DBB59E51AE69

Function 00401CC1 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CC5
GetClientRect.USER32(00000000,?), ref: 00401CD2
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CF3
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D01
DeleteObject.GDI32(00000000), ref: 00401D10

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: bcf2014c00065f5201b430a5429a32b7385cfa622623bd2341514d29d8348619
Instruction ID: f89edaf4e673e5a696cf4c500be88082f9c29b5fdabb6c66a10e118bddb835aa
Opcode Fuzzy Hash: bcf2014c00065f5201b430a5429a32b7385cfa622623bd2341514d29d8348619
Instruction Fuzzy Hash: 71F01DB2E04105BFD700EBA4EE89DAFB7BDEB44345B104576F602F6190C678AD018B69

Function 00405593 Relevance: 7.5, APIs: 3, Strings: 2, Instructions: 36COMMON

Download Yara Rule

APIs

CharNextA.USER32(ES@,?,C:\,00000000,004055F7,C:\,C:\,?,?,00000000,00405345,?,"C:\Users\user\Desktop\yUgCaQhCIc.exe",00000000), ref: 004055A1
CharNextA.USER32(00000000), ref: 004055A6
CharNextA.USER32(00000000), ref: 004055B5

Strings

C:\, xrefs: 00405594
ES@, xrefs: 0040559C, 004055A0

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: CharNext
String ID: C:\$ES@
API String ID: 3213498283-247893726
Opcode ID: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction ID: f60ec20427defc95a9886ae099bd540e39d30c8fbbaad3333d1940da6ed1a81e
Opcode Fuzzy Hash: 68c7f773aafbecf3834176a21eebbfbca0b4bda0270daf5a8c718fc322178301
Instruction Fuzzy Hash: F8F0A7A2D44B25B6E73222A84C44B6B6BADDB55711F244437E200B61D597B84C828FBA

Function 00404597 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00429FE0,00429FE0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004044B7,000000DF,0000040F,00000400,00000000), ref: 00404625
wsprintfA.USER32 ref: 0040462D
SetDlgItemTextA.USER32(?,00429FE0), ref: 00404640

Strings

%u.%u%s%s, xrefs: 0040460F

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 74831606c9b093612702591a57e7d7575a57c61aed7505950e70be9150aef9cb
Instruction ID: a73c68329ee831a229c644748369bffc84c82a565a353c3d841dc2820e0c3950
Opcode Fuzzy Hash: 74831606c9b093612702591a57e7d7575a57c61aed7505950e70be9150aef9cb
Instruction Fuzzy Hash: 9911D0737001243BDB10A66D9C46EEF329ADBC6334F14023BFA25F61D1E9388C5286E8

Function 0040381E Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,Bibado Installer - Nero Burning Rom Setup), ref: 004038B6

Strings

1033, xrefs: 00403822, 0040382C, 0040389D
Bibado Installer - Nero Burning Rom Setup, xrefs: 004038A5
C:\Users\user\AppData\Local\Temp\, xrefs: 0040381F

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: TextWindow
String ID: 1033$Bibado Installer - Nero Burning Rom Setup$C:\Users\user\AppData\Local\Temp\
API String ID: 530164218-3834516452
Opcode ID: 1025670415ed7299d3a4535275ffdf3c061a3cffc7b258d7069b92854ad026b7
Instruction ID: f58d08b88b77c55e92e539ad5181c9965f6bbcffbd0d008a8b371c472e4a47a6
Opcode Fuzzy Hash: 1025670415ed7299d3a4535275ffdf3c061a3cffc7b258d7069b92854ad026b7
Instruction Fuzzy Hash: 9311D176B001009BC734EF56DC809737BADEB8471636881BFEC02A7390D639A8038A98

Function 00404CFA Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 58windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404D30
CallWindowProcA.USER32(?,00000200,?,?), ref: 00404D9E

Part of subcall function 00403E0A: SendMessageA.USER32(0002047E,00000000,00000000,00000000), ref: 00403E1C

Strings

, xrefs: 00404D08
8174224, xrefs: 00404D5C, 00404D66, 00404D74, 00404D82

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID: $8174224
API String ID: 3748168415-3389874118
Opcode ID: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
Instruction ID: b16bf2df46199d4e0f4b20eb531931f7d117dfa55111be6f57691eac5a9fa7e0
Opcode Fuzzy Hash: 498d22ec92de87507460055f31d3341dd140a7d0c04a54d74523ea2b6bf50dd0
Instruction Fuzzy Hash: 25114F71600218BBDB219F52DC41AAB3B69AF84365F00813FFA04B91E1C37D8D51CFA9

Function 0040526C Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,0042BFE8,Error launching installer), ref: 00405291
CloseHandle.KERNEL32(?), ref: 0040529E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040526C
Error launching installer, xrefs: 0040527F

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: C:\Users\user\AppData\Local\Temp\$Error launching installer
API String ID: 3712363035-7751565
Opcode ID: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
Instruction ID: 9c205d3d1494e9e4afb0e3639077779a104ecf70f113e6d393e41fe649cd8d97
Opcode Fuzzy Hash: dc33ac1254d82063a7b9e43172f0f507123e59eb9c5a5fd92b1179a08dc1bdb0
Instruction Fuzzy Hash: FBE0ECB4A04209ABEB00EF64ED09D7B7BBCEB00304B408522A911E2290D778E410CEB9

Function 004054FF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 00405505
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004030E4,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403244), ref: 0040550E
lstrcatA.KERNEL32(?,00409010), ref: 0040551F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004054FF

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction ID: dfec000a3f5bf2671270dd29e8f8c50a5f72ee918dd093ba8f25731816a648b4
Opcode Fuzzy Hash: f17b2ccdaa8efd10834e0f4341d4d5b977b2bb6e8559feba5c8cad9ccc1df0ef
Instruction Fuzzy Hash: FCD0A972705A307ED2022A19AC06F8F2A88CF17301B044822F100B62D2C23C9E418FFE

Function 00402303 Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.ADVAPI32(00000000,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402341
lstrlenA.KERNEL32(0040A380,00000023,?,?,?,00000000,?,?,?,00000011,00000002), ref: 00402361
RegSetValueExA.ADVAPI32(?,?,?,?,0040A380,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040239A
RegCloseKey.ADVAPI32(?,?,?,0040A380,00000000,?,?,?,00000000,?,?,?,00000011,00000002), ref: 0040247D

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: feee39b2995d5713698e39181d4267c001e0350d88117aa5d933f9716d921611
Instruction ID: 74c2b7e5efa1a9b7d251dd878628ee018497e02546d33d1ea7114f4406d6c15c
Opcode Fuzzy Hash: feee39b2995d5713698e39181d4267c001e0350d88117aa5d933f9716d921611
Instruction Fuzzy Hash: 721160B1E00209BFEB10AFA5DE89EAF767CFB40398F10453AF901B71D0D6B85D019669

Function 00401EC5 Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401ED4
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401EF2
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F0B
VerQueryValueA.VERSION(?,00409010,?,?,?,?,?,00000000), ref: 00401F24

Part of subcall function 0040596A: wsprintfA.USER32 ref: 00405977

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
Instruction ID: ac83c8b0d38e5b491d5bd27050ffdb4091974a4b49ad9b19d675067d3fb65d11
Opcode Fuzzy Hash: 099a0aa409c47306a0e5e8436e4e2e7c61bc24b53b401cebe12c2d8cce08dfb0
Instruction Fuzzy Hash: 201148B2900108BFDB01EFA5D981DAEBBB9EF04344B24807AF505F61E1D7389A54DB28

Function 00401D1B Relevance: 6.0, APIs: 4, Instructions: 34COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D22
GetDeviceCaps.GDI32(00000000), ref: 00401D29
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D38
CreateFontIndirectA.GDI32(0040AF84), ref: 00401D8A

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirect
String ID:
API String ID: 3272661963-0
Opcode ID: cde7f90e9653f28e0253788fad6bfaf6f4cce6a54e225caafa13451a0e0ea16a
Instruction ID: 580b179190550232f88f4ba5e52f5296c98f8c4b0afe68c870f47754878f2485
Opcode Fuzzy Hash: cde7f90e9653f28e0253788fad6bfaf6f4cce6a54e225caafa13451a0e0ea16a
Instruction Fuzzy Hash: 68F044F1A45342AEE702A7B0AE4B7993B649725309F100436F545BA1E2C5BC00149B7F

Function 00402BBE Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402D9E,00000001), ref: 00402BD1
GetTickCount.KERNEL32 ref: 00402BEF
CreateDialogParamA.USER32(0000006F,00000000,00402B3B,00000000), ref: 00402C0C
ShowWindow.USER32(00000000,00000005), ref: 00402C1A

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
Instruction ID: df45f881ccb5ca36463c1a09230da8cf23750fca8468dec1cd15007da7f5e5e8
Opcode Fuzzy Hash: c87a5157f8204693ca179b822d2a85440fc20d6be017f85e77c31dbe1d2c93c5
Instruction Fuzzy Hash: 22F0F430A09120EBC6716F95FD4C99B7F64E704B157504437F001B55F5D67878829B9D

Function 004024BE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024DC
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\Toolbar,00000000,?,?,00000000,00000011), ref: 004024FB

Strings

C:\Users\user\AppData\Local\Temp\Toolbar, xrefs: 004024CA, 004024EF

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\Toolbar
API String ID: 427699356-3936352603
Opcode ID: f8afe27f35a0341f5f43dc116950efcf8e5d728f532d9ae0525ec423e2171d68
Instruction ID: 266b505f4b4a70e0031bd9b61304a7f29979de1156be46298b6644775383f0d6
Opcode Fuzzy Hash: f8afe27f35a0341f5f43dc116950efcf8e5d728f532d9ae0525ec423e2171d68
Instruction Fuzzy Hash: 70F0B4B2B04201AFDB00EBA19E49AAF36589B40348F14443BB142F50C2D6BC4941AB6D

Function 00405546 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yUgCaQhCIc.exe,C:\Users\user\Desktop\yUgCaQhCIc.exe,80000000,00000003), ref: 0040554C
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402C8E,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\yUgCaQhCIc.exe,C:\Users\user\Desktop\yUgCaQhCIc.exe,80000000,00000003), ref: 0040555A

Strings

C:\Users\user\Desktop, xrefs: 00405546

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1246513382
Opcode ID: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction ID: fca702df0190f5d4796b13fce4c8f5ccfdab60c3fa8ed772e71c257c4247ae30
Opcode Fuzzy Hash: 49376fbf8c9c30057c1bc985cc011eea510fd351d3a644e674ee9e82abf7fe19
Instruction Fuzzy Hash: 39D0A772508EB07EE70366149C00B9F7A88CF13340F094462E040A61D4C27C4D418FFD

Function 00405658 Relevance: 5.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040565F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405678
CharNextA.USER32(00000000,?,?,00000000,000000F1,?), ref: 00405686
lstrlenA.KERNEL32(00000000,00000000,?,00000000,00000000,00405866,00000000,[Rename],?,?,00000000,000000F1,?), ref: 0040568F

Memory Dump Source

Source File: 00000000.00000002.1411255945.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1411238954.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411273592.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000414000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000420000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.000000000042B000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411295796.0000000000444000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1411434089.000000000044B000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_yUgCaQhCIc.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction ID: fee4d645b7b415a6dc1afaac75e8b1817c7eae67fc86a6e8a33b60f3285d70db
Opcode Fuzzy Hash: 0108cf067d6f6d80c8ed850288af8a4b3b9133f156f8bdff26d83f0dd252fb59
Instruction Fuzzy Hash: 05F0A736309D519AC2125B295C04A6F6A98EF91314B58097AF444F2140E33A9C119BBF

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer ) may leave traces to indicate to what was done within a network and how. Removal of these files can occur during an intrusion, or as part of a post-intrusion process to minimize the adversary's footprint.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Deletion
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report yUgCaQhCIc.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\BrandingURL.dll

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\InstallOptions.dll

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\LangDLL.dll

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\NSISdl.dll

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\UAC.dll

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\inetc.dll

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\ioSpecial.ini

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\modern-wizard.bmp

C:\Users\user\AppData\Local\Temp\nsr39C2.tmp\show_page_toolbar

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
yUgCaQhCIc.exe