Edit tour

Windows Analysis Report
runonce.exe

Overview

General Information

Sample name:	runonce.exe
Analysis ID:	1543805
MD5:	346e10b2e65680b29fdd16131dbf12ba
SHA1:	51c7d3e93eb83f9474d4c3cbb5c3ac40cea40355
SHA256:	0e8dfe0ae97133bf844939886a773489d1b21e520689d38ca7be105d4f832ad6
Infos:

Detection

Score:	24
Range:	0 - 100
Whitelisted:	false
Confidence:	60%

Signatures

Sigma detected: System File Execution Location Anomaly

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

runonce.exe (PID: 3008 cmdline: "C:\Users\user\Desktop\runonce.exe" MD5: 346E10B2E65680B29FDD16131DBF12BA)

WMIC.exe (PID: 3536 cmdline: wmic /NAMESPACE:\\root\CIMV2 path Win32_BIOS get Manufacturer MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 4284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

System Summary

Sigma detected: System File Execution Location Anomaly

Source: Process started

Author: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\Desktop\runonce.exe", CommandLine: "C:\Users\user\Desktop\runonce.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\runonce.exe, NewProcessName: C:\Users\user\Desktop\runonce.exe, OriginalFileName: C:\Users\user\Desktop\runonce.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 1028, ProcessCommandLine: "C:\Users\user\Desktop\runonce.exe", ProcessId: 3008, ProcessName: runonce.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: runonce.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: runonce.exe

Static PE information: certificate valid

Source: runonce.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4
Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA.crt0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: AccessControl.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AccessControl.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigning-g1.crl03
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: AccessControl.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0=
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigning-g1.crl0K
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: runonce.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: AccessControl.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0A
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0H
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0I
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, AccessControl.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://ocsp.digicert.com0X
Source: runonce.exe, 00000000.00000002.2118704065.00000000027D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://opensource.dell.com
Source: runonce.exe, 00000000.00000002.2118704065.00000000027D9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://opensource.dell.com/
Source: AccessControl.dll.0.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: runonce.exe, 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmp, System.dll.0.dr, nsExec.dll.0.dr, LogEx.dll.0.dr	String found in binary or memory: https://www.digicert.com/CPS0

Source: C:\Users\user\Desktop\runonce.exe

Code function: 0_2_0040571B GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040571B

Source: C:\Users\user\Desktop\runonce.exe

Code function: 0_2_00403532 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,ExitProcess,CoUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_00403532

Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_00406DC6		0_2_00406DC6
Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_0040759D		0_2_0040759D

Source: runonce.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: sus24.winEXE@4/5@0/0

Source: C:\Users\user\Desktop\runonce.exe

0_2_00403532

Source: C:\Users\user\Desktop\runonce.exe

Code function: 0_2_004049C7 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004049C7

Source: C:\Users\user\Desktop\runonce.exe

Code function: 0_2_004021AF CoCreateInstance,

0_2_004021AF

Source: C:\Users\user\Desktop\runonce.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{2AA9978F-CCEB-4156-859E-D84D5CE6A993}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4284:120:WilError_03

Source: C:\Users\user\Desktop\runonce.exe

File created: C:\Users\user\AppData\Local\Temp\nsjF71D.tmp

Jump to behavior

Source: runonce.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\runonce.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\runonce.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\runonce.exe

File read: C:\Users\user\Desktop\runonce.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\runonce.exe "C:\Users\user\Desktop\runonce.exe"
Source: C:\Users\user\Desktop\runonce.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /NAMESPACE:\\root\CIMV2 path Win32_BIOS get Manufacturer
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\runonce.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /NAMESPACE:\\root\CIMV2 path Win32_BIOS get Manufacturer	Jump to behavior

Source: C:\Users\user\Desktop\runonce.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\runonce.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll	Jump to behavior

Source: C:\Users\user\Desktop\runonce.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: runonce.exe

Static PE information: certificate valid

Source: runonce.exe

Static file information: File size 40855120 > 1048576

Source: runonce.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\runonce.exe	File created: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\runonce.exe	File created: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\AccessControl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\runonce.exe	File created: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\LogEx.dll	Jump to dropped file
Source: C:\Users\user\Desktop\runonce.exe	File created: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\nsExec.dll	Jump to dropped file

Source: C:\Users\user\Desktop\runonce.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\runonce.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\runonce.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\AccessControl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\runonce.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\LogEx.dll	Jump to dropped file
Source: C:\Users\user\Desktop\runonce.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\nsExec.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Manufacturer FROM Win32_BIOS

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_00405C63 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C63
Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_004068B4 FindFirstFileW,FindClose,	0_2_004068B4
Source: C:\Users\user\Desktop\runonce.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: C:\Users\user\Desktop\runonce.exe

API call chain: ExitProcess graph end node

graph_0-3253

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\runonce.exe

Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /NAMESPACE:\\root\CIMV2 path Win32_BIOS get Manufacturer

Jump to behavior

Source: C:\Users\user\Desktop\runonce.exe

0_2_00403532

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Access Token Manipulation	OS Credential Dumping	1 Process Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	11 Process Injection	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
runonce.exe	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\AccessControl.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\LogEx.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\nsExec.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://opensource.dell.com	runonce.exe, 00000000.00000002.2118704065.00000000027D9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://opensource.dell.com/	runonce.exe, 00000000.00000002.2118704065.00000000027D9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_ErrorError	runonce.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543805
Start date and time:	2024-10-28 13:44:12 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	runonce.exe
Detection:	SUS
Classification:	sus24.winEXE@4/5@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 27 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: runonce.exe

Simulations

Behavior and APIs

Time	Type	Description
08:45:06	API Interceptor	1x Sleep call for process: WMIC.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\nsExec.dll	https://dl.dell.com/FOLDER11489837M/1/DPeM_4M3XN_1.7.4_WN64_A00.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\LogEx.dll	https://dl.dell.com/FOLDER11489837M/1/DPeM_4M3XN_1.7.4_WN64_A00.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\System.dll	https://dl.dell.com/FOLDER11489837M/1/DPeM_4M3XN_1.7.4_WN64_A00.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\DellPair-1.2.4-in.log

Download File

Process:	C:\Users\user\Desktop\runonce.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	274
Entropy (8bit):	3.0980026038071804
Encrypted:	false
SSDEEP:	3:Q/yMLlYrC4ELlilSVnlmA6lmtg5l5lsFWPjDLclulAlAnolvv8RQl4Qfrsvn:Q/xRYrfGGSV48G5ZsFWQB6no22mQfAv
MD5:	69CBB7C54EB8B52AB4EF6F5A121ACDF2
SHA1:	576FEDAA87A617D3CB6F9539EC2AE1B26888B161
SHA-256:	4806F50C4AFF6299F165539A5E59FE9EFDF4E29088CFD7D61AEB7DAF6AFA2650
SHA-512:	5FBF97B29FDB1FA92E59F79EE78F42E2709594E28AAC3778B484B193B8281E6764EE4B723B2BA6889036E45C36DCE38E2EF32AB4EA1CCD8B415D8F848F62FE3E
Malicious:	false
Reputation:	low
Preview:	..-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.I.n.s.t.a.l.l.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.-.......o.n.I.n.i.t.:.C.o.m.m.a.n.d.L.i.n.e.=.".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.e.s.k.t.o.p.\.r.u.n.o.n.c.e...e.x.e.".....M.a.n.u.f.a.c.t.u.r.e.r. .=. .N.N.L.S.G.....

C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\AccessControl.dll

Download File

Process:	C:\Users\user\Desktop\runonce.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	25976
Entropy (8bit):	6.7745195807176675
Encrypted:	false
SSDEEP:	384:ShdGZ2E0YWV2908oj21ILud8YIYitV9Ywd+foAM+o/8E9VF0NyDHw27:ShMFZ01j2yLe8BYiVYwd6oAMxkEX
MD5:	CAFE177FC6D9492042CFEA6F370B7648
SHA1:	6901FFAF7B8E3DE0661AC1E427BDF8E469F94802
SHA-256:	BC2C42EBF191CBD6374818B796BBB2D8C213C1FBFCEB1E8B4253B04894EEFBE8
SHA-512:	53525083E6D6E22E21B53FB5359C8B222CAAAF2E957946715C4142B8082DC4FBF525737A1DBE28BFAF202997EE21F6E020057E941C1AE67FEC099753ED7D2EB2
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..................~...........w...........}....Rich............................PE..L....t6`...........!.....0...........7.......@...............................`.......................................<.......8..P....................<..x)...P..p....................................................................................text...w/.......0.................. ..`.data...\....@.......4..............@....reloc.......P.......6..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\LogEx.dll

Download File

Process:	C:\Users\user\Desktop\runonce.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	64432
Entropy (8bit):	5.612892222457597
Encrypted:	false
SSDEEP:	768:soaF+ATCQye/I3KWmxj00Jyb8EnovmCErPxFA2PxWEnWD:UF+ATCNmVjj8poIPxtPxoD
MD5:	EC59E06851E742F8415BB1C3C66AE993
SHA1:	EE7C03D70621CE17B6C020932A38ADCC5B08D84A
SHA-256:	19ACE66BDC06055E281DAD38D862612D2DFE2B6F05D273639E65D4CCDA7530DB
SHA-512:	3A1C7ABFCAC696C42E203378E9E576B7B24F79C0B2A545C51BCB513092E80D260A649DD359EA07CA342BBC6CF209306A630A040648CE4B3F46E2C472A0ABA10A
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........HeGK)..K)..K)..}...J)...5.._)..BQ..J)..)6..N)..K)...)..}...u)......J)..RichK)..........................PE..L.....M...........!.....P...`...............`......................................Lx...............................k..s...<f..<........................K...........................................................`...............................text....G.......P.................. ..`.rdata..#....`.......`..............@..@.data...`1...p...0...p..............@....reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\runonce.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	31664
Entropy (8bit):	7.115717791943005
Encrypted:	false
SSDEEP:	384:e8PJlt70esj0Mt9vn6ay6MNy6F8E9VF3ZJ5Px+nh5ZsHLwaqaPxh8E9VF0NyV2UZ:e+qesjRL67CErPxFcaPxWETpp
MD5:	BC86B4F2A493162CC45D32188ED6C8C7
SHA1:	D828F960EF068338CB988DBA99C81E824D79D3A2
SHA-256:	474266DEBBF0C41E6B66E5F90581A4640F51688135D2B42C0A7F5080D3153EB1
SHA-512:	CD8783E60A44DEFCC8D30738F13629ED3F76C8837A6A717BB1F9CF6E95808BEB721A392EAB446BB7A3E6BAD67384E4D47D6CFCF90634CA94FEAB0B10B11D5EFC
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L....~.\...........!....."...........).......@...............................p.......g....@..........................B.......@..P....................0...K...`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\nsExec.dll

Download File

Process:	C:\Users\user\Desktop\runonce.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	26032
Entropy (8bit):	7.1739276231495674
Encrypted:	false
SSDEEP:	384:OwbogBz5N66IuGgmkNdNy6F8E9VF3ZJ5PxKe5h5ZsHLodPxh8E9VF0NyyTk:n9cuGLklCErPxpeoPxWEAI
MD5:	1CFC262CCBC117FEEBB7B84FB9488D0C
SHA1:	49B8E5061FD5F940761CB4BC814553EF2729223E
SHA-256:	C52A43D96AF1F31C74696DE1E1971E437B97DFB69C702E6F48F163EA157DB079
SHA-512:	34F210722DB6C99D958FC91D1637D5B456D2BEB0835284B1F1441FF2DC0FCD342E54C9D1A032E9A9258D432450FD2A8A75E79AAB0D5D30B652363655D4CE2D36
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: , Detection: malicious, Browse
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................,..................Rich...........PE..L....~.\...........!......................... ...............................P............@..........................$..l.... ..P........................K...@....................................................... ...............................text............................... ..`.rdata..L.... ......................@..@.data........0......................@....reloc.......@......................@..B................................................................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.9963964985243905
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	runonce.exe
File size:	40'855'120 bytes
MD5:	346e10b2e65680b29fdd16131dbf12ba
SHA1:	51c7d3e93eb83f9474d4c3cbb5c3ac40cea40355
SHA256:	0e8dfe0ae97133bf844939886a773489d1b21e520689d38ca7be105d4f832ad6
SHA512:	df72f3169230476a45fe4035c7ceb5e36f66f4a4903de88c9c1119d39cb6a9a3162172cb6137469c21bbd002f92d567f0a08713fa869cf0cec997a7aee27905f
SSDEEP:	786432:FYuteBzK4B+5JbbhUQ8xigFJnTRQmZE6b2oFwWqa71SHll9FeuRLNtot2Dqq1+qA:FYuoJWF9Enem3b5SFl9FeuK
TLSH:	7297332E9544A56EEB4EBB3401A0FDB8C35A7C1EF958BC793D24F44468F63E2430D692
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...l..d.................j.........

File Icon


Icon Hash:	8021c2d8da823100

Static PE Info

General

Entrypoint:	0x403532
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC6C [Sun Jul 2 02:09:48 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Authenticode Signature

Signature Valid:	true
Signature Issuer:	CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	30/03/2023 02:00:00 16/04/2026 01:59:59
Subject Chain	CN=IndiLogic LLC, O=IndiLogic LLC, L=Pflugerville, S=Texas, C=US, SERIALNUMBER=801559456, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=Texas, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	836850D4406BE5F77C86821943C953B2
Thumbprint SHA-1:	02FF05422A368811E5DEDF3BB3510D1592125B61
Thumbprint SHA-256:	DCF1A6EE23829CF8310F539EE038911DE5A5206F42E1DA067B99BA14CE327F7B
Serial:	03F2B43C723D66131CB16C806393A7F0

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007F138529A3AAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007F138529A378h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [004347B8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8608	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x6b000	0x6b238	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x26f3cd8	0x2978
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x68d8	0x6a00	742185983fa6320c910f81782213e56f	False	0.6695165094339622	data	6.478461709868021	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1464	0x1600	a995b118b38426885fc6ccaa984c8b7a	False	0.4314630681818182	data	4.969091535632612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2a818	0x600	9a9bf385a30f1656fc362172b16d9268	False	0.5247395833333334	data	4.172601271908501	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x36000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x6b000	0x6b238	0x6b400	42f71deb3a31dcda02e7ea94c58d3e0f	False	0.1150181199009324	data	4.670569872110054	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x6b508	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.12108693079267391
RT_ICON	0xad530	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.08897728617059032
RT_ICON	0xbdd58	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 38016	English	United States	0.08681942400672693
RT_ICON	0xc7200	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.0966728280961183
RT_ICON	0xcc688	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.09754369390647143
RT_ICON	0xd08b0	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.1212655601659751
RT_ICON	0xd2e58	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.15337711069418386
RT_ICON	0xd3f00	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.21475409836065573
RT_ICON	0xd4888	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.26684397163120566
RT_DIALOG	0xd4cf0	0x200	data	English	United States	0.3984375
RT_DIALOG	0xd4ef0	0xf8	data	English	United States	0.6290322580645161
RT_DIALOG	0xd4fe8	0xd4	data	English	United States	0.5990566037735849
RT_DIALOG	0xd50c0	0xee	data	English	United States	0.6302521008403361
RT_DIALOG	0xd51b0	0x1ec	data	English	United States	0.3861788617886179
RT_DIALOG	0xd53a0	0xe4	data	English	United States	0.6359649122807017
RT_DIALOG	0xd5488	0xc0	data	English	United States	0.5885416666666666
RT_DIALOG	0xd5548	0xda	data	English	United States	0.6467889908256881
RT_DIALOG	0xd5628	0x1f0	data	English	United States	0.3911290322580645
RT_DIALOG	0xd5818	0xe8	data	English	United States	0.6508620689655172
RT_DIALOG	0xd5900	0xc4	data	English	United States	0.6020408163265306
RT_DIALOG	0xd59c8	0xde	data	English	United States	0.6621621621621622
RT_GROUP_ICON	0xd5aa8	0x84	data	English	United States	0.7196969696969697
RT_VERSION	0xd5b30	0x2d4	data	English	United States	0.44751381215469616
RT_MANIFEST	0xd5e08	0x42e	XML 1.0 document, ASCII text, with very long lines (1070), with no line terminators	English	United States	0.5130841121495328

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	08:45:06
Start date:	28/10/2024
Path:	C:\Users\user\Desktop\runonce.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\runonce.exe"
Imagebase:	0x400000
File size:	40'855'120 bytes
MD5 hash:	346E10B2E65680B29FDD16131DBF12BA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	08:45:06
Start date:	28/10/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic /NAMESPACE:\\root\CIMV2 path Win32_BIOS get Manufacturer
Imagebase:	0x1c0000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	08:45:06
Start date:	28/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	16.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.4%
Total number of Nodes:	1334
Total number of Limit Nodes:	19

Executed Functions

Function 00403532 Relevance: 79.2, APIs: 33, Strings: 12, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403555
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 00403580
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 00403593
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 0040362C
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403669
OleInitialize.OLE32(00000000), ref: 00403670
SHGetFileInfoW.SHELL32(0042AA28,00000000,?,000002B4,00000000), ref: 0040368F
GetCommandLineW.KERNEL32(00433700,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004036A4
CharNextW.USER32(00000000,0043F000,00000020,0043F000,00000000,?,00000008,0000000A,0000000C), ref: 004036DD
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403815
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403826
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403832
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403846
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040384E
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040385F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403867
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040387B
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0043F000,00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403954

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

wsprintfW.USER32 ref: 004039B1
GetFileAttributesW.KERNEL32(00437800,C:\Users\user\AppData\Local\Temp\), ref: 004039E4
DeleteFileW.KERNEL32(00437800), ref: 004039F0
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 00403A1E

Part of subcall function 00406317: MoveFileExW.KERNEL32(?,?,00000005,00405E15,?,00000000,000000F1,?,?,?,?,?), ref: 00406321

CopyFileW.KERNEL32(C:\Users\user\Desktop\runonce.exe,00437800,00000001,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403A34

Part of subcall function 00405B3A: CreateProcessW.KERNEL32(00000000,00437800,00000000,00000000,00000000,04000000,00000000,00000000,0042FA70,?,?,?,00437800,?), ref: 00405B63
Part of subcall function 00405B3A: CloseHandle.KERNEL32(?,?,?,00437800,?), ref: 00405B70

Part of subcall function 004068B4: FindFirstFileW.KERNELBASE(75923420,0042FAB8,C:\,00405F77,C:\,C:\,00000000,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
Part of subcall function 004068B4: FindClose.KERNELBASE(00000000), ref: 004068CB

ExitProcess.KERNEL32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A7D
CoUninitialize.COMBASE(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A82
ExitProcess.KERNEL32 ref: 00403A9F
CloseHandle.KERNEL32(00000000,00438000,00438000,?,00437800,00000000), ref: 00403AA6
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403AC2
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403AC9
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403ADE
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403B01
ExitWindowsEx.USER32(00000002,80040002), ref: 00403B26
ExitProcess.KERNEL32 ref: 00403B49

Part of subcall function 00405B05: CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B

Strings

Error launching installer, xrefs: 004038FD
1033, xrefs: 00403876
C:\Users\user\Desktop\runonce.exe, xrefs: 00403A2F
UXTHEME, xrefs: 00403620, 00403625, 0040362B
C:\Users\user\AppData\Local\Temp\, xrefs: 0040380A, 0040380F, 00403825, 00403831, 00403840, 0040384D, 00403859, 00403861, 0040394F, 004039D0, 004039FC, 00403A1D, 00403A26
NSIS Error, xrefs: 00403695
TEMP, xrefs: 0040385A
\Temp, xrefs: 0040382C
SeShutdownPrivilege, xrefs: 00403AD8
TMP, xrefs: 00403862
~nsu%X.tmp, xrefs: 004039A8
Low, xrefs: 00403848

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: File$Process$Exit$CloseDirectory$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: 1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\runonce.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 2017177436-826633580
Opcode ID: ecd133bdca3a5f08cefff4cdf30355b9140becdcd9c01b372e8bc1a196a9c516
Instruction ID: 6c1349364f4d22fadfcc29bbd5f82b0434b4f5ba6e08f6571c64e8404a3f48da
Opcode Fuzzy Hash: ecd133bdca3a5f08cefff4cdf30355b9140becdcd9c01b372e8bc1a196a9c516
Instruction Fuzzy Hash: 64F10270604301ABD320AF659D45B2B7AE8EF8570AF10483EF581B22D1DB7DDA45CB6E

Function 00405C63 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405C8C
lstrcatW.KERNEL32(0042EA70,\*.*,0042EA70,?,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405CD4
lstrcatW.KERNEL32(?,0040A014,?,0042EA70,?,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405CF7
lstrlenW.KERNEL32(?,?,0040A014,?,0042EA70,?,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405CFD
FindFirstFileW.KERNELBASE(0042EA70,?,?,?,0040A014,?,0042EA70,?,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405D0D
FindNextFileW.KERNELBASE(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405DAD
FindClose.KERNEL32(00000000), ref: 00405DBC

Strings

\*.*, xrefs: 00405CCE
pB, xrefs: 00405CBC
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C70

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: C:\Users\user\AppData\Local\Temp\$\*.*$pB
API String ID: 2035342205-1746305512
Opcode ID: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
Instruction ID: 3df5019795aaf58f6817f8e3609a5bcb0d9fa216103f8ca083ea3247371bac5c
Opcode Fuzzy Hash: bc80552e2adf98b6cbbc0c73f9d9449be503fe2b945a8ee0ce3316eb6b08af02
Instruction Fuzzy Hash: 2441B231400A14BADB21BB65DC8DAAF7678EF81714F24813BF801B11D1DB7C4A81DEAE

Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindFirstFileW.KERNELBASE(75923420,0042FAB8,C:\,00405F77,C:\,C:\,00000000,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 004068BF
FindClose.KERNELBASE(00000000), ref: 004068CB

Strings

C:\, xrefs: 004068B4

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction ID: 0f602bcf77736d61886636fd33b874369bd8b56ce32760b4adaf045605f9a717
Opcode Fuzzy Hash: d8a05a579feb8caf00dd3d3e1258ef949bc643ef28fd0ab534c34ddbe61a4aed
Instruction Fuzzy Hash: 24D012725161309BC2406738AD0C84B7B58AF15331751CA37F56BF21E0D7348C6387A9

Function 00403C29 Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040694B: GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
Part of subcall function 0040694B: GetProcAddress.KERNEL32(00000000,?), ref: 00406978

lstrcatW.KERNEL32(1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,75923420,C:\Users\user\AppData\Local\Temp\,00000000,0043F000,00008001), ref: 00403CAA
lstrlenW.KERNEL32(004326A0,?,?,?,004326A0,00000000,0043F800,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000,00000002,75923420), ref: 00403D2A
lstrcmpiW.KERNEL32(00432698,.exe,004326A0,?,?,?,004326A0,00000000,0043F800,1033,0042CA68,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042CA68,00000000), ref: 00403D3D
GetFileAttributesW.KERNEL32(004326A0), ref: 00403D48
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,0043F800), ref: 00403D91

Part of subcall function 0040649E: wsprintfW.USER32 ref: 004064AB

RegisterClassW.USER32(004336A0), ref: 00403DCE
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DE6
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403E1B
ShowWindow.USER32(00000005,00000000), ref: 00403E51
GetClassInfoW.USER32(00000000,RichEdit20W,004336A0), ref: 00403E7D
GetClassInfoW.USER32(00000000,RichEdit,004336A0), ref: 00403E8A
RegisterClassW.USER32(004336A0), ref: 00403E93
DialogBoxParamW.USER32(?,00000000,00403FD7,00000000), ref: 00403EB2

Strings

RichEdit20W, xrefs: 00403E75, 00403E7B
1033, xrefs: 00403C49, 00403CA5
Control Panel\Desktop\ResourceLocale, xrefs: 00403C5D
C:\Users\user\AppData\Local\Temp\, xrefs: 00403C2E
RichEdit, xrefs: 00403E84
.DEFAULT\Control Panel\International, xrefs: 00403C95
RichEd20, xrefs: 00403E57
RichEd32, xrefs: 00403E65
.exe, xrefs: 00403D37
_Nb, xrefs: 00403DAD, 00403E15

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-1629884446
Opcode ID: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction ID: b78af383561608ccb802af496d710159af2d94eef556b4765221653e5b422f1b
Opcode Fuzzy Hash: bbb1e3748a54a273649d0fbd54a0890110e87f86c4ca5900aa60a5a95311a30e
Instruction Fuzzy Hash: 9F61C270100640BED220AF66ED46F2B3A6CEB85B5AF50013FF945B62E2DB7C59418B6D

Function 00403082 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403093
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\runonce.exe,00000400), ref: 004030AF

Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\runonce.exe,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,00440800,00440800,C:\Users\user\Desktop\runonce.exe,C:\Users\user\Desktop\runonce.exe,80000000,00000003), ref: 004030FB
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231

Strings

Error launching installer, xrefs: 004030D2
C:\Users\user\Desktop\runonce.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258
Null, xrefs: 00403179
C:\Users\user\AppData\Local\Temp\, xrefs: 00403089
soft, xrefs: 00403170
Inst, xrefs: 00403167

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop\runonce.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-2466281613
Opcode ID: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction ID: 68b8bf8592918c5e7f10339d86c9767fe938295b8d0ed8def850c2c8f1d184f5
Opcode Fuzzy Hash: 4024c06592b314d40f0961ad518ac7c722ea73bb9c6d843fd25d11ff0f4bc292
Instruction Fuzzy Hash: 8251A071A00204ABDB20AF65DD85B9E7EACEB49356F10417BF900B62D1C77C9F408BAD

Function 004032B9 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403323
GetTickCount.KERNEL32 ref: 004033CA
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033F3
wsprintfW.USER32 ref: 00403406

Strings

... %d%%, xrefs: 00403400
*B, xrefs: 004032E4
A, xrefs: 00403379
A, xrefs: 00403483

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: *B$ A$ A$... %d%%
API String ID: 551687249-3485722521
Opcode ID: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
Instruction ID: 982be0e2f69b4341102b9ffd21d6361bbd2cc6e706b5ad6adcc0aeecd99e7a45
Opcode Fuzzy Hash: b04dab49cf37ea20022f46a8b7c81c1884779548b4bab61156e959bad0df676f
Instruction Fuzzy Hash: 1A516F71910219EBCB11CF65DA44B9E7FB8AF04756F10827BE814BB2D1C7789A40CB99

Function 00401774 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Write,00440000,?,?,00000031), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,Write,Write,00000000,00000000,Write,00440000,?,?,00000031), ref: 004017DA

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D,0040341D,0042BA48,00000000,?,759223A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Strings

C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\LogEx.dll, xrefs: 0040183A, 00401856
Write, xrefs: 00401792, 0040179B, 004017A8, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B
NNLSG, xrefs: 00401826, 00401844

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\LogEx.dll$NNLSG$Write
API String ID: 1941528284-1060662145
Opcode ID: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
Instruction ID: f3bec3fd9c2ad120a03a9c06557e7274b723a0da437845685234e4033458a62e
Opcode Fuzzy Hash: 5d94e8e5950a8b2ff13ebbfcdf8ec3f64fd71dec5ee91277c9a67e4679359a3d
Instruction Fuzzy Hash: 0B419471800108BACB11BFA5DD85DBE76B9EF45328B21423FF412B10E2DB3C8A519A2D

Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
wsprintfW.USER32 ref: 0040692D
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Strings

UXTHEME, xrefs: 004068E4
%s%S.dll, xrefs: 00406927

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: a217f45d9ff01499786c61cea798a126a457230594f844882b590dd92c6ddc53
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 69F0F671501219A6CF14BB68DD0DF9B376CAB40304F21447AA646F20E0EB789B69CBA8

Function 00405F2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406557: lstrcpynW.KERNEL32(?,?,00000400,004036A4,00433700,NSIS Error,?,00000008,0000000A,0000000C), ref: 00406564

Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405F87
GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75923420,C:\Users\user\AppData\Local\Temp\), ref: 00405F97

Strings

C:\, xrefs: 00405F34, 00405F39, 00405F3F, 00405F80, 00405F86, 00405F8E, 00405F96
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F2E

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-1964270705
Opcode ID: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction ID: 0bce86d1d95a7c790b53086ee47358a3377499fb664fcb231eb74dc800c81f90
Opcode Fuzzy Hash: 7c21406a6ebf8fc224ae0ccc6b020e70a1639b7280e68367676f2d78d50147cb
Instruction Fuzzy Hash: 7AF0F43A105E1269D622733A5C09AAF1555CE86360B5A457BFC91B22C6CF3C8A42CCBE

Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406094
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403530,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C), ref: 004060AF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040607B
nsa, xrefs: 00406083

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-44229769
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 86e06e500a6970b3bc5bd370241205c1b86a0a172d82c816bfbfc8c597d973d5
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 65F09076B50204FBEB10CF69ED05F9EB7ACEB95750F11803AED05F7240E6B099548768

Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FreeLibrary.KERNELBASE(?,75923420,00000000,C:\Users\user\AppData\Local\Temp\,00403B6C,00403A82,?,?,00000008,0000000A,0000000C), ref: 00403BAE
GlobalFree.KERNEL32(?), ref: 00403BB5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403B94

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-823278215
Opcode ID: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction ID: cb28855b84c3abb27e6c937247341fa4f051846acd49e0d4b6103447305c23c4
Opcode Fuzzy Hash: 522759d04011631da2fa13ba2704cf46823a2ab452b41ebb0ecea140ccdeae61
Instruction Fuzzy Hash: 5DE0C23362083097C6311F55EE04B1A7778AF89B2AF01402AEC407B2618B74AC538FCC

Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108

Part of subcall function 004055DC: lstrlenW.KERNEL32(0042BA48,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
Part of subcall function 004055DC: lstrlenW.KERNEL32(0040341D,0042BA48,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
Part of subcall function 004055DC: lstrcatW.KERNEL32(0042BA48,0040341D,0040341D,0042BA48,00000000,?,759223A0), ref: 00405637
Part of subcall function 004055DC: SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
Part of subcall function 004055DC: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
Part of subcall function 004055DC: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
Part of subcall function 004055DC: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402119
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
Instruction ID: 3664ba2fa099400b069473e4dbd5787d756d46fb785c5e03f539e90392346bbf
Opcode Fuzzy Hash: 675ba370df0aff6a88f198f51fec383e6e490030c952a3077ac8e14d7d31a15f
Instruction Fuzzy Hash: C9219231904108BADF11AFA5CF49A9D7A71FF84358F20413FF201B91E1CBBD8982AA5D

Function 00405C1B Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406022: GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
Part of subcall function 00406022: SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040603B

RemoveDirectoryW.KERNELBASE(?,?,?,00000000,00405DFD), ref: 00405C36
DeleteFileW.KERNELBASE(?,?,?,00000000,00405DFD), ref: 00405C3E
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405C56

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: File$Attributes$DeleteDirectoryRemove
String ID:
API String ID: 1655745494-0
Opcode ID: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
Instruction ID: 2cd832b5149a82f614695d38d41b3aba95dfe4f26efc6ce9164d7e3db346642e
Opcode Fuzzy Hash: db7f6541ced3958ca03b9484ad33d053af3f68eb31512009fba6ce163230055c
Instruction Fuzzy Hash: 9AE02B3110D7915AE32077705E0CB5F2AD8DF86324F05093AF492F10C0DB78488A8A7E

Function 004015C6 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00405ED1: CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EE4
Part of subcall function 00405ED1: CharNextW.USER32(00000000), ref: 00405EFC

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405AAB: CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405AED

SetCurrentDirectoryW.KERNEL32(?,00440000,?,00000000,000000F0), ref: 00401652

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID:
API String ID: 1892508949-0
Opcode ID: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
Instruction ID: 6fd3d265dcb44280b24f8e6f21651466162e19908bb00ba525d5af3adea1cd3c
Opcode Fuzzy Hash: 6eb1be088149721894534dc5ef05b39002eda9ec2efe8824e8f1ae211de42d0c
Instruction Fuzzy Hash: F211E231404104ABCF206FA5CD0159F36B0EF04368B25493FE945B22F1DA3D4A81DA5E

Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402560
RegCloseKey.ADVAPI32(?,?,?,NNLSG,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: de231594f5fd9ed2f3d170b787f0c7ae88dddfe38e809d01203d2a2c86ad2b9e
Instruction ID: fa4e9c421320e09d3f2bb14c05bc69cdd2f01bdd483ca55c6e8c3e2e171c6fbc
Opcode Fuzzy Hash: de231594f5fd9ed2f3d170b787f0c7ae88dddfe38e809d01203d2a2c86ad2b9e
Instruction Fuzzy Hash: 11116A71900219EBDB14DFA0DA989AEB7B4FF04349B20447FE406B62C0D7B85A45EB5E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction ID: 0adee223d2b7ba7d815a442a2885e1f2b60e3b86eb1a18037e9b6c54a102055c
Opcode Fuzzy Hash: a48e27458ca857e7bf1c95edfaa4f4fc3f64b4f364872359a8149092e2b898a4
Instruction Fuzzy Hash: 0E01FF31620220AFE7195B389E05B6B3698E710329F10863FF851F62F1EA78DC429B4C

Function 00405AAB Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00437800,?), ref: 00405AED
GetLastError.KERNEL32 ref: 00405AFB

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: ed7a645988c2e2a06802fdc928ba12763e2e88a5fcf473fdfb2f1107ef0c66eb
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 56F0F970D0060DDBDB00CFA4C5497DFBBB4AB04305F00812AD545B6281D7B95248CBA9

Function 0040694B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403642,0000000C,?,?,?,?,?,?,?,?), ref: 0040695D
GetProcAddress.KERNEL32(00000000,?), ref: 00406978

Part of subcall function 004068DB: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068F2
Part of subcall function 004068DB: wsprintfW.USER32 ref: 0040692D
Part of subcall function 004068DB: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 00406941

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: ff64ee7455e026c1647d72c339307a336527f79dacb59e64982fca04d7429b22
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: 38E08673504210AFD61057705D04D27B3A89F85740302443EF946F2140DB34DC32ABA9

Function 00406047 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\runonce.exe,80000000,00000003), ref: 0040604B
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 00406022 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405C27,?,?,00000000,00405DFD,?,?,?,?), ref: 00406027
SetFileAttributesW.KERNELBASE(?,00000000), ref: 0040603B

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction ID: 97cbb32404f08d1f6fed837f871d2b37f55cf766f9720be9b575451f5cdabe77
Opcode Fuzzy Hash: bc30e5c928ed30f9cb3e730bb3a024ff28878b527ec9bdb2640fa07c227b463d
Instruction Fuzzy Hash: A3D0C972504220AFC2102728AE0889BBB55EB542717028A35FCA9A22B0CB304CA68694

Function 00403B4F Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 11COMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(FFFFFFFF,00403A82,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403B5A

Strings

C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\, xrefs: 00403B6E

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CloseHandle
String ID: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\
API String ID: 2962429428-2104086021
Opcode ID: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
Instruction ID: 69482a2579ef2b85c2ad9764c5c762c9eb4f19b2fcf4b87e51b14fafea8afdc0
Opcode Fuzzy Hash: ae973bb0dca4e4815b90d97470301ae31a1ae4600fd43aa67c366af3984d4a62
Instruction Fuzzy Hash: EDC0123090470496F1206F79AE8FA153A64574073DBA48726B0B8B10F3CB7C5659555D

Function 00405B05 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403525,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405B0B
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405B19

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: 8c4969e502f5bc4c8dfdefb7e9c2ba363b64d1215f12130c86bef4ebeef6f559
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 19C08C30310902DACA802B209F087173960AB80340F158439A683E00B4CA30A065C92D

Function 004060CA Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034E7,00000000,00000000,0040330B,000000FF,00000004,00000000,00000000,00000000), ref: 004060DE

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: a77d82ba430c16999eb1f2306cb11816df14181100402a9e04059793f1b3015d
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 21E08632150219ABCF10DF948C00EEB3B9CFF04390F018436FD11E3040D630E92197A4

Function 004060F9 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040349D,00000000,0041EA20,000000FF,0041EA20,000000FF,000000FF,00000004,00000000), ref: 0040610D

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: 78408803ccc59d93ae5352641a5e7b8f709900c8df5e8e9e13d69f82a1dcf02f
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 8FE08C3220021ABBCF109E908C00EEB3FACEB003A0F014432FA26E6050D670E83097A4

Function 00405BB7 Relevance: 1.5, APIs: 1, Instructions: 21windowCOMMON

Download Yara Rule

APIs

MessageBoxIndirectW.USER32(0040A3B0), ref: 00405C12

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: IndirectMessage
String ID:
API String ID: 1874166685-0
Opcode ID: 49056a94db685a7e6e8e371eb5eb9c62a0f77d6887f77aab2986bc6a9fcb55c2
Instruction ID: 0544aaf5cdacc2413b7ec3f635adb62dd37cf0f8c8cd843599ec734240c2006d
Opcode Fuzzy Hash: 49056a94db685a7e6e8e371eb5eb9c62a0f77d6887f77aab2986bc6a9fcb55c2
Instruction Fuzzy Hash: CAF0F2755243048FC354CF58EA597563BE1F38A320F10613EEA41A23A0C778A4A8CF4E

Function 004063C4 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,0042BA48,00000000,00000000,00000032,?,00000000,?,00406452,?,0042BA48,004326A0,004326A0,004326A0,?,00000000), ref: 004063E8

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: e31b8ecfa4924c4a0859a1c58e61cb12282203f41ec30ad4fda9f6d7c72ae418
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: 68D0123200020DBBDF115E91ED01FAB3B1DAB08310F014426FE16E5091D776D570A764

Function 004034EA Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034F8

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Non-executed Functions

Function 0040571B Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405779
GetDlgItem.USER32(?,000003EE), ref: 00405788
GetClientRect.USER32(?,?), ref: 004057C5
GetSystemMetrics.USER32(00000002), ref: 004057CC
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057ED
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057FE
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 00405811
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 0040581F
SendMessageW.USER32(?,00001024,00000000,?), ref: 00405832
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 00405854
ShowWindow.USER32(?,00000008), ref: 00405868
GetDlgItem.USER32(?,000003EC), ref: 00405889
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405899
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 004058B2
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 004058BE
GetDlgItem.USER32(?,000003F8), ref: 00405797

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

GetDlgItem.USER32(?,000003EC), ref: 004058DB
CreateThread.KERNEL32(00000000,00000000,Function_000056AF,00000000), ref: 004058E9
CloseHandle.KERNEL32(00000000), ref: 004058F0
ShowWindow.USER32(00000000), ref: 00405914
ShowWindow.USER32(?,00000008), ref: 00405919
ShowWindow.USER32(00000008), ref: 00405963
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405997
CreatePopupMenu.USER32 ref: 004059A8
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 004059BC
GetWindowRect.USER32(?,?), ref: 004059DC
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059F5
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A2D
OpenClipboard.USER32(00000000), ref: 00405A3D
EmptyClipboard.USER32 ref: 00405A43
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A4F
GlobalLock.KERNEL32(00000000), ref: 00405A59
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A6D
GlobalUnlock.KERNEL32(00000000), ref: 00405A8D
SetClipboardData.USER32(0000000D,00000000), ref: 00405A98
CloseClipboard.USER32 ref: 00405A9E

Strings

{, xrefs: 00405981

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction ID: 234ab3d0ec1f6487b719ed7b99e1d6b4405f443d9e8d78e252fa94ab3ac4d3a1
Opcode Fuzzy Hash: 6951b3530aa72caf7521df0bf8db88f5d1408e2bb92485539c1303395de87c8c
Instruction Fuzzy Hash: 34B139B1900608FFDB11AF60DD89AAE7B79FB48355F00813AFA41BA1A0C7785A51DF58

Function 004049C7 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404A16
SetWindowTextW.USER32(00000000,?), ref: 00404A40
SHBrowseForFolderW.SHELL32(?), ref: 00404AF1
CoTaskMemFree.OLE32(00000000), ref: 00404AFC
lstrcmpiW.KERNEL32(004326A0,0042CA68,00000000,?,?), ref: 00404B2E
lstrcatW.KERNEL32(?,004326A0), ref: 00404B3A
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B4C

Part of subcall function 00405B9B: GetDlgItemTextW.USER32(?,?,00000400,00404B83), ref: 00405BAE

Part of subcall function 00406805: CharNextW.USER32(?,*?|<>/":,00000000,0043F000,75923420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
Part of subcall function 00406805: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
Part of subcall function 00406805: CharNextW.USER32(?,0043F000,75923420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
Part of subcall function 00406805: CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

GetDiskFreeSpaceW.KERNEL32(0042AA38,?,?,0000040F,?,0042AA38,0042AA38,?,00000001,0042AA38,?,?,000003FB,?), ref: 00404C0F
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404C2A

Part of subcall function 00404D83: lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
Part of subcall function 00404D83: wsprintfW.USER32 ref: 00404E2D
Part of subcall function 00404D83: SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

A, xrefs: 00404AEA

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A
API String ID: 2624150263-3554254475
Opcode ID: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction ID: 8a45afd3ee22384d80319c7ed67abe130e578f1d2b392c1e8909742cb30e522b
Opcode Fuzzy Hash: aab1ff152b07609d5ccd452d97b16b322b3ddb3b1e57e49f69f3ed37cd316d4d
Instruction Fuzzy Hash: FCA192B1900208ABDB11EFA5DD45BAFB7B8EF84314F11803BF611B62D1D77C9A418B69

Function 004021AF Relevance: 1.6, APIs: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085E8,?,00000001,004085D8,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CreateInstance
String ID:
API String ID: 542301482-0
Opcode ID: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
Instruction ID: f0c409d0c9855dc16f3492d495f607d4fcaf843261c47ee8c1995525671fe781
Opcode Fuzzy Hash: 54fcaebf65a6d80a769d2ffe25eeb1568fba929b3fba522b5b89cb6b807999ae
Instruction Fuzzy Hash: 76411471A00208AFCB40DFE4C989EAD7BB5FF48308B20457AF515EB2D1DB799982CB54

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
Instruction ID: 4f8030157269cd498ea314d5a86e386b0cfb994e1dea9c94a4400a3869289cfc
Opcode Fuzzy Hash: f7eec81d6910abfa52e209e80917fba1586809f9bcb970d7ef1d97902b1d379f
Instruction Fuzzy Hash: 17F08C71A04104AAD701EBE4EE499AEB378EF14324F60457BE102F31E0DBB85E159B2A

Function 00406DC6 Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction ID: a5eb8001d75a17d38d83411349fde439c8a9064fda1b18d7f978e280ae41e255
Opcode Fuzzy Hash: ca9fc840679c4677ea5dd763a2b97f011fd48deb17cd4c9d43ec117c62889360
Instruction Fuzzy Hash: ACE19C71A04709DFCB24CF58C880BAABBF1FF45305F15852EE496A72D1E378AA51CB05

Function 0040759D Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction ID: e409ec8ffb443055957628c835c79614664982182129ebc37b3e11cb9bcd83e5
Opcode Fuzzy Hash: 5db23d3e625216a1972a1fea7a98b9ee98c1df0b240da8e2d6c4f39054d3f9c6
Instruction Fuzzy Hash: ECC14772E04219CBCF18CF68C4905EEBBB2BF98354F25866AD85677380D7346942CF95

Function 00404F43 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F5B
GetDlgItem.USER32(?,00000408), ref: 00404F66
GlobalAlloc.KERNEL32(00000040,?), ref: 00404FB0
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404FC7
SetWindowLongW.USER32(?,000000FC,00405550), ref: 00404FE0
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FF4
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00405006
SendMessageW.USER32(?,00001109,00000002), ref: 0040501C
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00405028
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 0040503A
DeleteObject.GDI32(00000000), ref: 0040503D
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405068
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00405074
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040510F
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 0040513F

Part of subcall function 0040450B: SendMessageW.USER32(00000028,?,00000001,00404336), ref: 00404519

SendMessageW.USER32(?,00001132,00000000,?), ref: 00405153
GetWindowLongW.USER32(?,000000F0), ref: 00405181
SetWindowLongW.USER32(?,000000F0,00000000), ref: 0040518F
ShowWindow.USER32(?,00000005), ref: 0040519F
SendMessageW.USER32(?,00000419,00000000,?), ref: 0040529A
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052FF
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00405314
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405338
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405358
ImageList_Destroy.COMCTL32(?), ref: 0040536D
GlobalFree.KERNEL32(?), ref: 0040537D
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053F6
SendMessageW.USER32(?,00001102,?,?), ref: 0040549F
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 004054AE
InvalidateRect.USER32(?,00000000,00000001), ref: 004054D9
ShowWindow.USER32(?,00000000), ref: 00405527
GetDlgItem.USER32(?,000003FE), ref: 00405532
ShowWindow.USER32(00000000), ref: 00405539

Strings

N, xrefs: 004051D8
M, xrefs: 004050F7
, xrefs: 00405511

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction ID: 91097811874ce85ba3cc7540bcf7dd58db25a3d6f071223140e4d1ec27d7ea12
Opcode Fuzzy Hash: 14683326fe5d0e21a3b01d942e888f99a0d9647cceadcd168bf81575faddcc86
Instruction Fuzzy Hash: 6C029C70900608AFDF20DF94DD85AAF7BB5FB85314F10817AE611BA2E1D7798A41CF58

Function 00403FD7 Relevance: 51.4, APIs: 34, Instructions: 357windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00404013
ShowWindow.USER32(?), ref: 00404033
GetWindowLongW.USER32(?,000000F0), ref: 00404045
ShowWindow.USER32(?,00000004), ref: 0040405E
DestroyWindow.USER32 ref: 00404072
SetWindowLongW.USER32(?,00000000,00000000), ref: 0040408B
GetDlgItem.USER32(?,?), ref: 004040AA
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 004040BE
IsWindowEnabled.USER32(00000000), ref: 004040C5
GetDlgItem.USER32(?,00000001), ref: 00404170
GetDlgItem.USER32(?,00000002), ref: 0040417A
SetClassLongW.USER32(?,000000F2,?), ref: 00404194
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041E5
GetDlgItem.USER32(?,00000003), ref: 0040428B
ShowWindow.USER32(00000000,?), ref: 004042AC
EnableWindow.USER32(?,?), ref: 004042BE
EnableWindow.USER32(?,?), ref: 004042D9
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042EF
EnableMenuItem.USER32(00000000), ref: 004042F6
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040430E
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00404321
lstrlenW.KERNEL32(0042CA68,?,0042CA68,00000000), ref: 0040434B
SetWindowTextW.USER32(?,0042CA68), ref: 0040435F
ShowWindow.USER32(?,0000000A), ref: 00404493

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: Window$Item$MessageSendShow$EnableLong$Menu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 1860320154-0
Opcode ID: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction ID: 911e0a6aef898d83942fe666095560f38e6effa11f08765efd6836b1f10f2e9c
Opcode Fuzzy Hash: df8d1fa02ff149c62ea57a685de79d9d3ef227f732b6982a07419eaff96d62a7
Instruction Fuzzy Hash: 29C1B0B1500204BBDB206F61EE89A2B3A68FB85756F01053EF781B51F0CB3958929B2D

Function 00404695 Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404733
GetDlgItem.USER32(?,000003E8), ref: 00404747
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404764
GetSysColor.USER32(?), ref: 00404775
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00404783
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00404791
lstrlenW.KERNEL32(?), ref: 00404796
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004047A3
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004047B8
GetDlgItem.USER32(?,0000040A), ref: 00404811
SendMessageW.USER32(00000000), ref: 00404818
GetDlgItem.USER32(?,000003E8), ref: 00404843
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404886
LoadCursorW.USER32(00000000,00007F02), ref: 00404894
SetCursor.USER32(00000000), ref: 00404897
LoadCursorW.USER32(00000000,00007F00), ref: 004048B0
SetCursor.USER32(00000000), ref: 004048B3
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048E2
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048F4

Strings

N, xrefs: 00404831

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: N
API String ID: 3103080414-1130791706
Opcode ID: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction ID: 3ad42440e7936429012ccc374b67200ab01768f99e4ad58672f49272ac14a637
Opcode Fuzzy Hash: 04e13e5971a3aaf2d7c3f6bec99ed017c89c89abbf6057be99a5caf0d4384f9a
Instruction Fuzzy Hash: 2E6181B1900209BFDB10AF60DD85EAA7B69FB84315F00853AFA05B62D0C779A951DF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433700,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction ID: eca0ad76d85821e0a7fbe67f508e5060b260b918cc65b70bf06bca200ae74670
Opcode Fuzzy Hash: f8b3db801d2c504d9e2de6f85bac4b8fdc05036872983a9c428bf394377a2a15
Instruction Fuzzy Hash: 2F418B71800209AFCB058FA5DE459AFBFB9FF45314F00802EF591AA1A0C738EA54DFA4

Function 0040619D Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406338,?,?), ref: 004061D8
GetShortPathNameW.KERNEL32(?,00430108,00000400), ref: 004061E1

Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
Part of subcall function 00405FAC: lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 004061FE
wsprintfA.USER32 ref: 0040621C
GetFileSize.KERNEL32(00000000,00000000,00430908,C0000000,00000004,00430908,?,?,?,?,?), ref: 00406257
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406266
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 0040629E
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,0042FD08,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062F4
GlobalFree.KERNEL32(00000000), ref: 00406305
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 0040630C

Part of subcall function 00406047: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\runonce.exe,80000000,00000003), ref: 0040604B
Part of subcall function 00406047: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 0040606D

Strings

[Rename], xrefs: 00406286, 00406298
%ls=%ls, xrefs: 00406212

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction ID: 2f157a22eecee44515c187ff3daf75b9e7e255f904fde787f0dd9ddf92a1116e
Opcode Fuzzy Hash: 7d01897451b1442b79f1fbad31b5db9882c2a06ae1a72dd2fb598b53c99231a5
Instruction Fuzzy Hash: C9312271200315BBD2206B619D49F2B3A5CEF85718F16043EFD42FA2C2DB7D99258ABD

Function 00406594 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 204stringCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(004326A0,00000400), ref: 004066B6
GetWindowsDirectoryW.KERNEL32(004326A0,00000400,00000000,0042BA48,?,?,00000000,00000000,?,759223A0), ref: 004066CC
SHGetPathFromIDListW.SHELL32(00000000,004326A0), ref: 0040672A
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 00406733
lstrcatW.KERNEL32(004326A0,\Microsoft\Internet Explorer\Quick Launch,00000000,0042BA48,?,?,00000000,00000000,?,759223A0), ref: 0040675E
lstrlenW.KERNEL32(004326A0,00000000,0042BA48,?,?,00000000,00000000,?,759223A0), ref: 004067B8

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406687
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406758

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-730719616
Opcode ID: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction ID: fc62ecdfc612bfadb4c03fc2fb2820e4449372332e166df7cb208319b666a0da
Opcode Fuzzy Hash: 2066e1c471d7490a15c1c198898eb18b068b97d6eda6cad4e7272ae8e9db0920
Instruction Fuzzy Hash: 7D612571A046009BD720AF24DD84B6A76E8EF95328F16053FF643B32D0DB7C9961875E

Function 0040453D Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040455A
GetSysColor.USER32(00000000), ref: 00404598
SetTextColor.GDI32(?,00000000), ref: 004045A4
SetBkMode.GDI32(?,?), ref: 004045B0
GetSysColor.USER32(?), ref: 004045C3
SetBkColor.GDI32(?,?), ref: 004045D3
DeleteObject.GDI32(?), ref: 004045ED
CreateBrushIndirect.GDI32(?), ref: 004045F7

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 069c4eaec478219780f05c004fc5973679282d3c2eb16bc8cec9dcb23997e36d
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: 592151B1500704ABCB20DF68DE08A5B7BF8AF41714B05892EEA96A22E0D739E944CF54

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
SetFilePointer.KERNEL32(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1

Part of subcall function 00406128: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 0040613E

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction ID: e892b7cb172a86a35cdf2d5061c859a119b49b65f2ae0b0c69c9b35c58dd84de
Opcode Fuzzy Hash: 6186ba75392568282b6731289b87e01334a0414050beb0dbbc28c320faadcf08
Instruction Fuzzy Hash: F151FB75D0411AABDF24DFD4CA85AAEBBB9FF04344F10817BE901B62D0D7B49D828B58

Function 004055DC Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042BA48,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,0040341D,00000000,?), ref: 00405614
lstrlenW.KERNEL32(0040341D,0042BA48,00000000,?,759223A0,?,?,?,?,?,?,?,?,?,0040341D,00000000), ref: 00405624
lstrcatW.KERNEL32(0042BA48,0040341D,0040341D,0042BA48,00000000,?,759223A0), ref: 00405637
SetWindowTextW.USER32(0042BA48,0042BA48), ref: 00405649
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040566F
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405689
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405697

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction ID: 906fe2e33ec339045028823105f1a28636d6cdc7c4a53a0106b9bb612f22f5f3
Opcode Fuzzy Hash: 7a9b63bfacfea3e7ee08c26d0c930c27eafc8712a75251909ef17a9a102c325c
Instruction Fuzzy Hash: 9121A171900158BACB119F65DD449CFBFB4EF45350F50843AF508B62A0C3794A50CFA8

Function 00406805 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,0043F000,75923420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00406868
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406877
CharNextW.USER32(?,0043F000,75923420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040687C
CharPrevW.USER32(?,?,75923420,C:\Users\user\AppData\Local\Temp\,00000000,0040350D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 0040688F

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00406806
*?|<>/":, xrefs: 00406857

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1201062745
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: fa9c0ef9ae643832d728fa0671e6943ea0b093c18f887e6db6f7fe1f852dcfd9
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: F111932780221299DB303B148C40E7766E8AF54794F52C43FED8A722C0F77C4C9286AD

Function 00404E91 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404EAC
GetMessagePos.USER32 ref: 00404EB4
ScreenToClient.USER32(?,?), ref: 00404ECE
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EE0
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404F06

Strings

f, xrefs: 00404EE2

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: eb967d7d92909976ed67768bbc6bf91133f1097352fa1b537f2083fc5134d3bd
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: AB019E71900219BADB00DB94DD81FFEBBBCAF95710F10412BFB11B61C0C7B4AA018BA4

Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
MulDiv.KERNEL32(026F3CD2,00000064,?), ref: 00402FE1
wsprintfW.USER32 ref: 00402FF1
SetWindowTextW.USER32(?,?), ref: 00403001
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013

Strings

verifying installer: %d%%, xrefs: 00402FEB

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction ID: b4a4546c530c1255e03538258eeb387f0310dfe45b0532776fb26864182fd6cc
Opcode Fuzzy Hash: 492ce7ecf44becc2b6f328ccb1258d65c9f2870c51930cf6044baf7ee7e6d13e
Instruction Fuzzy Hash: 8D014F71640208BBEF209F60DE49FEE3B79AB04344F108039FA02B91D0DBB99A559B59

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
Instruction ID: 9240dae09012554c896714223f9a1d047de53ad28ef79bac3653223f28d0231c
Opcode Fuzzy Hash: 67fe96262b9617a6657bb77028f4b0069242132a66e071a854657c6cce135934
Instruction Fuzzy Hash: 3931AD71D00124BBCF21AFA5CE89D9E7E79AF49324F10423AF521762E1CB794D419BA8

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: d4675444f2d34e761c1d250a7f981306a9f7540a76c819169e3a9c2f75ea5dca
Instruction ID: 7c59605d0ca35e0e1f1170af87acd2d95b5481229a772e02f8b12e0d157fbf49
Opcode Fuzzy Hash: d4675444f2d34e761c1d250a7f981306a9f7540a76c819169e3a9c2f75ea5dca
Instruction Fuzzy Hash: 2A216B7150010ABFDF119F90CE89EEF7B7DEB54398F100076B949B21E0D7B49E54AA68

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction ID: ff9804e90d7d2423da96771145ec8c84d1acc30631874d8c14b803c0354ed8c3
Opcode Fuzzy Hash: 5a50ccc3029d5fde6ea81844b1e337cdf63f6177f9f2d7308e11f2af529302b6
Instruction Fuzzy Hash: 73210772900119AFCB05DF98EE45AEEBBB5EF08314F14003AF945F62A0D7789D81DB98

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDF0), ref: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction ID: a825ad976d3f878f3d1ae6f085165680ecf176d60430839047bda31eedf7821d
Opcode Fuzzy Hash: ecb0f290f5c1122776e84f7afc2181d255ab8ed52f1adad26d3dddab1dbe2d45
Instruction Fuzzy Hash: 62017571905240EFE7005BB4EE49BDD3FA4AB15301F10867AF541B61E2C7B904458BED

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction ID: 3d1946e732457e70d46414fe723373bc78a31951f468440fe5e33f287296c6aa
Opcode Fuzzy Hash: 069d8cd0b50c9c3d23d30c496d0653b5436aef65d2998253063e1abfe41eec6a
Instruction Fuzzy Hash: BC21AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941DB98

Function 00404D83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042CA68,0042CA68,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404E24
wsprintfW.USER32 ref: 00404E2D
SetDlgItemTextW.USER32(?,0042CA68), ref: 00404E40

Strings

%u.%u%s%s, xrefs: 00404E0E

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction ID: 0fe25742dfe6cfa92c38baccc724587d3b65f537d6828788df476db8ac6fa50e
Opcode Fuzzy Hash: 2c674a3dc48973326ebd454f1002488dce618ddc5f98b18a2ee0300ee1e706a4
Instruction Fuzzy Hash: B111EB336042283BDB109A6DAC45E9E329CDF85374F250237FA65F71D1E978DC2282E8

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(NNLSG,00000023,00000011,00000002), ref: 004024DA
RegSetValueExW.ADVAPI32(?,?,?,?,NNLSG,00000000,00000011,00000002), ref: 0040251A
RegCloseKey.ADVAPI32(?,?,?,NNLSG,00000000,00000011,00000002), ref: 00402602

Strings

NNLSG, xrefs: 004024CB, 004024D9, 004024F0, 00402504, 0040250F

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: NNLSG
API String ID: 2655323295-1518637115
Opcode ID: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
Instruction ID: e3d4462d3b771ebaa4f16124ca1672ddbf53c4078f16fd27a1e0ad00bfdc49f7
Opcode Fuzzy Hash: a41cb6f13485af1a9ec10d2b5ae98035f7e48eaeb505393f7ac1ad9e88c8f9fe
Instruction Fuzzy Hash: 8B117F31900118BEEB10EFA5DE59EAEBAB4EF54358F11443FF504B71C1D7B88E419A58

Function 00405ED1 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\,?,00405F45,C:\,C:\,75923420,?,C:\Users\user\AppData\Local\Temp\,00405C83,?,75923420,C:\Users\user\AppData\Local\Temp\,0043F000), ref: 00405EDF
CharNextW.USER32(00000000), ref: 00405EE4
CharNextW.USER32(00000000), ref: 00405EFC

Strings

C:\, xrefs: 00405ED2

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction ID: 143c5bdbadb979d876a68ad22b5e9fde56015454fa81a7c55dbcd1e73dec783f
Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction Fuzzy Hash: 03F09072D04A2395DB317B649C45B7756BCEB587A0B54843BE601F72C0DBBC48818ADA

Function 00405E26 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E2C
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040351F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040381C,?,00000008,0000000A,0000000C), ref: 00405E36
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E48

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405E26

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-823278215
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: dcb1dcffde27bcde4b46a4bd7655c85b8e924b1ae314dab144fc932f30a80b76
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: 9DD0A731501534BAC212AB54AD04DDF62AC9F46344381443BF141B30A5C77C5D51D7FD

Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\LogEx.dll), ref: 0040269A

Strings

C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\LogEx.dll, xrefs: 0040265E, 00402683, 00402695, 004026E1
NNLSG, xrefs: 00402688

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\LogEx.dll$NNLSG
API String ID: 1659193697-2410854125
Opcode ID: 36d8dbc523c0472d64c73d4eff13f49a76aa2362c52378c6c93c1f1da3cddc08
Instruction ID: 71653ae2733df7adc71dfdbaa34589fb2472b89c06e6b839d1f3baa03dac964a
Opcode Fuzzy Hash: 36d8dbc523c0472d64c73d4eff13f49a76aa2362c52378c6c93c1f1da3cddc08
Instruction Fuzzy Hash: E011E772A40205BBCB00ABB19E56AAE7671AF50748F21443FF402B71C1EAFD4891565E

Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000,004031FC,00000001), ref: 00403031
GetTickCount.KERNEL32 ref: 0040304F
CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
ShowWindow.USER32(00000000,00000005), ref: 0040307A

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction ID: 9291db8f65f8f9a8906298ccab22143765a9ea5c3e1cf5a275661437a5304794
Opcode Fuzzy Hash: 3e0f77edca3fe8d4731edd858be8c75d6ac57a75eac47466490e255ad15c8a0f
Instruction Fuzzy Hash: 22F08970602A21AFC6306F50FE09A9B7F68FB45B52B51053AF445B11ACCB345C91CB9D

Function 00405550 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040557F
CallWindowProcW.USER32(?,?,?,?), ref: 004055D0

Part of subcall function 00404522: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404534

Strings

, xrefs: 00405560

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction ID: 994decb8795c597c60d879b60f38f30bda4d2919c1ffc13ce94f3a2918c86729
Opcode Fuzzy Hash: 831ed5cf29225e66f7bf56ab76169cd98d2ca93c2364028159cf8fc7ca140134
Instruction Fuzzy Hash: 1C01717120060CBFEF219F11DD84A9B3B67EB84794F144037FA41761D5C7398D529A6D

Function 00405FAC Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FBC
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405FD4
CharNextA.USER32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FE5
lstrlenA.KERNEL32(00000000,?,00000000,00406291,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FEE

Memory Dump Source

Source File: 00000000.00000002.2118094318.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2118077558.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118111962.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000040D000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.000000000042F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118129105.0000000000441000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.000000000046B000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2118228725.00000000004AD000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_runonce.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: e9567a821587a5f0376c4e2be66d4cfc8c6f540c5076303c4651ac02cb4e93c6
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: E1F09631105519FFC7029FA5DE00D9FBBA8EF05350B2540B9F840F7250D678DE01AB69

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report runonce.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\DellPair-1.2.4-in.log

C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\AccessControl.dll

C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\LogEx.dll

C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsjF7BA.tmp\nsExec.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

Windows Analysis Report
runonce.exe

Function 00403532 Relevance: 79.2, APIs: 33, Strings: 12, Instructions: 464
stringfilecomCOMMON

Function 00405C63 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 004068B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14
fileCOMMON

Function 00403C29 Relevance: 40.5, APIs: 13, Strings: 10, Instructions: 215
stringregistryCOMMON

Function 00403082 Relevance: 21.2, APIs: 5, Strings: 7, Instructions: 181
memoryCOMMON

Function 004032B9 Relevance: 14.2, APIs: 4, Strings: 4, Instructions: 166
COMMON

Function 00401774 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 145
stringtimeCOMMON

Function 004068DB Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Function 00405F2E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Function 00406076 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Function 00403B94 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73
libraryCOMMON

Function 00405C1B Relevance: 4.5, APIs: 3, Instructions: 28
fileCOMMON

Function 004015C6 Relevance: 3.1, APIs: 2, Instructions: 65
COMMON

Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56
registryCOMMON