Edit tour

Windows Analysis Report
ulACwpUCSU.exe

Overview

General Information

Sample name:	ulACwpUCSU.exe renamed because original name is a hash value
Original sample name:	c4c7ed9360322bf463828c0e86a131a081ecc700fe32dc0215d392251771a6de.exe
Analysis ID:	1451688
MD5:	b6f8b1c89399490857facfcf5bb78d86
SHA1:	898e59e55c027c47833f435fff28ed20da9ecdc8
SHA256:	c4c7ed9360322bf463828c0e86a131a081ecc700fe32dc0215d392251771a6de
Tags:	exe
Infos:

Detection

GuLoader

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

ulACwpUCSU.exe (PID: 7740 cmdline: "C:\Users\user\Desktop\ulACwpUCSU.exe" MD5: B6F8B1C89399490857FACFCF5BB78D86)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3857034302.0000000005525000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: ulACwpUCSU.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: ulACwpUCSU.exe	ReversingLabs: Detection: 65%
Source: ulACwpUCSU.exe	Virustotal: Detection: 35%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.8% probability

Machine Learning detection for sample

Source: ulACwpUCSU.exe

Joe Sandbox ML: detected

Source: ulACwpUCSU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: ulACwpUCSU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Code function: 0_2_0040603A FindFirstFileA,FindClose,	0_2_0040603A
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Code function: 0_2_004055F6 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055F6
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645

Source: ulACwpUCSU.exe	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: ulACwpUCSU.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

Code function: 0_2_0040515D GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_0040515D

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

Code function: 0_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,ExitWindowsEx,ExitProcess,

0_2_00403217

Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Code function: 0_2_00406310		0_2_00406310
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Code function: 0_2_0040499C		0_2_0040499C

Source: ulACwpUCSU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.troj.evad.winEXE@1/21@0/0

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

Code function: 0_2_0040442A GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_0040442A

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

Code function: 0_2_00402036 CoCreateInstance,MultiByteToWideChar,

0_2_00402036

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

File created: C:\Users\user\AppData\Local\Lumbagoen.lnk

Jump to behavior

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

File created: C:\Users\user\AppData\Local\Temp\nso89A4.tmp

Jump to behavior

Source: ulACwpUCSU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: ulACwpUCSU.exe	ReversingLabs: Detection: 65%
Source: ulACwpUCSU.exe	Virustotal: Detection: 35%

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

File read: C:\Users\user\Desktop\ulACwpUCSU.exe

Jump to behavior

Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Section loaded: profapi.dll	Jump to behavior

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Lumbagoen.lnk.0.dr

LNK file: ..\..\..\..\Windows\system32\scups\deployerende.emb

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

File written: C:\Users\user\AppData\Local\Temp\Settings.ini

Jump to behavior

Source: ulACwpUCSU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3857034302.0000000005525000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

Code function: 0_2_00406061 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406061

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

Code function: 0_2_10002D30 push eax; ret

0_2_10002D5E

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

File created: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

RDTSC instruction interceptor: First address: 55DD498 second address: 55DD498 instructions: 0x00000000 rdtsc 0x00000002 cmp esi, 58058AA1h 0x00000008 cmp ebx, ecx 0x0000000a jc 00007FE6B4F1162Eh 0x0000000c test edx, edx 0x0000000e inc ebp 0x0000000f inc ebx 0x00000010 test ax, 0000E59Fh 0x00000014 rdtsc

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Code function: 0_2_0040603A FindFirstFileA,FindClose,	0_2_0040603A
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Code function: 0_2_004055F6 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_004055F6
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	Code function: 0_2_00402645 FindFirstFileA,	0_2_00402645

Source: C:\Users\user\Desktop\ulACwpUCSU.exe	API call chain: ExitProcess graph end node			graph_0-4273
Source: C:\Users\user\Desktop\ulACwpUCSU.exe	API call chain: ExitProcess graph end node			graph_0-4435

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

Code function: 0_2_00406061 GetModuleHandleA,LoadLibraryA,GetProcAddress,

0_2_00406061

Source: C:\Users\user\Desktop\ulACwpUCSU.exe

Code function: 0_2_00405D58 GetVersion,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,

0_2_00405D58

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 DLL Side-Loading	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	1 DLL Side-Loading	LSASS Memory	3 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 Obfuscated Files or Information	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
ulACwpUCSU.exe	66%	ReversingLabs	Win32.Trojan.Leonem
ulACwpUCSU.exe	35%	Virustotal		Browse
ulACwpUCSU.exe	100%	Avira	TR/AD.NsisInject.edpwl
ulACwpUCSU.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll	1%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_Error	ulACwpUCSU.exe	false	URL Reputation: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	ulACwpUCSU.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1451688
Start date and time:	2024-06-04 14:08:06 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 57s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	ulACwpUCSU.exe renamed because original name is a hash value
Original Sample Name:	c4c7ed9360322bf463828c0e86a131a081ecc700fe32dc0215d392251771a6de.exe
Detection:	MAL
Classification:	mal76.troj.evad.winEXE@1/21@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 51 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll	fJuwM4Bwi7.exe	Get hash	malicious	GuLoader	Browse
	Factura 02297-23042024.exe	Get hash	malicious	FormBook, GuLoader	Browse
	anebilledes.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Factura 02297-23042024.exe	Get hash	malicious	GuLoader	Browse
	anebilledes.exe	Get hash	malicious	GuLoader	Browse
	Purchase Order1613400027654123.pdf.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Purchase Order1613400027654123.pdf.exe	Get hash	malicious	GuLoader	Browse
	windows.10.codec.pack.v2.2.0.setup.exe	Get hash	malicious	PrivateLoader, PureLog Stealer	Browse
	windows.10.codec.pack.v2.2.0.setup.exe	Get hash	malicious	Unknown	Browse
	DATASHEET rfq.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Lumbagoen.lnk

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	MS Windows shortcut, Item id list present, Has Relative path, Has Working directory, ctime=Sun Dec 31 23:06:32 1600, mtime=Sun Dec 31 23:06:32 1600, atime=Sun Dec 31 23:06:32 1600, length=0, window=hide
Category:	dropped
Size (bytes):	970
Entropy (8bit):	3.3010472006065092
Encrypted:	false
SSDEEP:	12:8wl0s0m/3BVSXzEXnOlLBAZlYK2jqW+fI5jjMBQ1J3HAGACagiNL4t2YZ/elFlS0:8AJ/Bbe2bYKY+fGr3HAGACaV5qy
MD5:	E58B0A005AAC484A3CCD10E29EFE98E9
SHA1:	137789ABA1892344AECF26F9F4A30CAAFD2D6251
SHA-256:	0D6A4814DB519C9889D69998957C08FAAB6008446F3ECD8FFB99F1685D0E0F57
SHA-512:	DA8231A4EB96946EF8BFC2C2CDCF937BDA5DFB1B89A77F16D60F2F68069208CF517DFF795758892E1529112D48E026CAED622D0081CCCDAF9624324DF7E7844B
Malicious:	false
Reputation:	low
Preview:	L..................F.............................................................P.O. .:i.....+00.../C:\...................V.1...........Windows.@............................................W.i.n.d.o.w.s.....Z.1...........system32..B............................................s.y.s.t.e.m.3.2.....P.1...........scups.<............................................s.c.u.p.s.....r.2...........deployerende.emb..R............................................d.e.p.l.o.y.e.r.e.n.d.e...e.m.b... ...3.....\.....\.....\.....\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.s.c.u.p.s.\.d.e.p.l.o.y.e.r.e.n.d.e...e.m.b.T.C.:.\.U.s.e.r.s.\.h.u.b.e.r.t.\.A.p.p.D.a.t.a.\.L.o.c.a.l.\.T.e.m.p.\.t.e.r.e.p.h.t.h.a.l.a.t.e.\.e.d.d.e.r.d.u.n.\.S.t.i.l.l.s.e.\.L.i.m.e.j.u.i.c.e.\.S.a.e.r.e.s.t.e.........%...............wN....]N.D...Q..................1SPS.XF.L8C....&.m.q............/...S.-.1.-.5.-.2.1.-.2.2.4.6.1.2.2.6.5.8.-.3.6.9.3.4.0.5.1.1.7.-.2.4.7.6.7.5.6.6.3.4.-.1.0.0.3.................

C:\Users\user\AppData\Local\Temp\Settings.ini

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	50
Entropy (8bit):	4.558562939644915
Encrypted:	false
SSDEEP:	3:RlvjDkAQLQIfLBJXmgxv:R1ZQkIP2I
MD5:	A6216EF9FBE57B11DEEB1B1FD840C392
SHA1:	E554348623EF9ADDDE2FB3F2742D5CC1EF240AB1
SHA-256:	EDF6C9DA71DAF3B3DA2E89A1BC6B9F4B812F18FC133CF4706A3AE983E4040946
SHA-512:	AF5FDD8419B8384361BBEA7600B4DA7860771DD974D3B2D747C6E1C4F7E4DF49FE4BE5FA2320E9041343C8D2AB5912BE1CF279B61ED2A96954C1C2ED05AA0122
Malicious:	false
Reputation:	low
Preview:	[Common]..Windows=user32::EnumWindows(i r1 ,i 0)..

C:\Users\user\AppData\Local\Temp\nsd89B4.tmp

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	557077
Entropy (8bit):	7.079350311821964
Encrypted:	false
SSDEEP:	12288:BArogB21UpSFMz8s02Npjdo6G9/Us9i1d1:BATwqpss0gzkUs9ed1
MD5:	2BE0DFCA1F58BBC291C5FEBCB520F01F
SHA1:	DA8822A610E7BB3156C6DC9B9C344652DC1BDFE3
SHA-256:	9576CA879A620F995613754EDCF928C9771AB08383BA29048312F763AF02A4F8
SHA-512:	1D45D65DEDCDFC835E9917C6CF103848DE662E3DF83FB9319371D5DD18D9EE166052A9F31C2260FF00E9962F165D92D2DC863539800B78C1BF5675913E2CEB0D
Malicious:	false
Reputation:	low
Preview:	.-......,.......................4........,.......-..........................................................................................................................................................................................................................................J...\...............j...............................................................................................................................9...........C...r.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11264
Entropy (8bit):	5.779474184733856
Encrypted:	false
SSDEEP:	96:zPDYcJ+nx4vVp76JX7zBlkCg21Fxz4THxtrqw1at0JgwLEjo+OB3yUVCdl/wNj+y:zPtkuWJX7zB3kGwfy0nyUVsxCjOM61u
MD5:	6F5257C0B8C0EF4D440F4F4FCE85FB1B
SHA1:	B6AC111DFB0D1FC75AD09C56BDE7830232395785
SHA-256:	B7CCB923387CC346731471B20FC3DF1EAD13EC8C2E3147353C71BB0BD59BC8B1
SHA-512:	A3CC27F1EFB52FB8ECDA54A7C36ADA39CEFEABB7B16F2112303EA463B0E1A4D745198D413EEBB3551E012C84A20DCDF4359E511E51BC3F1A60B13F1E3BAD1AA8
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: fJuwM4Bwi7.exe, Detection: malicious, Browse Filename: Factura 02297-23042024.exe, Detection: malicious, Browse Filename: anebilledes.exe, Detection: malicious, Browse Filename: Factura 02297-23042024.exe, Detection: malicious, Browse Filename: anebilledes.exe, Detection: malicious, Browse Filename: Purchase Order1613400027654123.pdf.exe, Detection: malicious, Browse Filename: Purchase Order1613400027654123.pdf.exe, Detection: malicious, Browse Filename: windows.10.codec.pack.v2.2.0.setup.exe, Detection: malicious, Browse Filename: windows.10.codec.pack.v2.2.0.setup.exe, Detection: malicious, Browse Filename: DATASHEET rfq.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......)...m.m.m...k.m.~....j.9..i....l....l.Richm.........................PE..L....\.U...........!.................'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text..._........................... ..`.rdata..S....0......."..............@..@.data...h....@.......&..............@....reloc..b....P.......(..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Humus\Blevins126.for

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	3146
Entropy (8bit):	4.791974532841942
Encrypted:	false
SSDEEP:	48:3XPylQdRwtj51cUxE84gEsggxL3oW/xFJPDV4EFUXBR27Qy18ZC0n2pZ6tc73:al6RO51TE81mgl3oWJFJ9UXekyOZ2Omz
MD5:	63FE645623536FBA3E2331E03CC60A1C
SHA1:	236AFE8B9CE94209890C73329BCFEC36E2772F7B
SHA-256:	D214B61BCC0A292DF774AED4655752AF5ACB44E880BD82082AB716AE34DCEDBF
SHA-512:	EF6432B6D5107883F6CFA5EED753CA96BE4E59D89A883DA67D8112A7BA7950A3462F2DEE07228B89923569C727145396254C0EB10B84DFAE1632CEC17074413D
Malicious:	false
Reputation:	low
Preview:	.@v..)........R......,W!.o.........................E..R....S.M..h..eW..R.HJ ............A_.........rU..........................u.....y......y.....................................b{....0........_..........u.H...................#.8........................`4.........!.=...K...U..y.....?..>.........aW[...............................%c"....}..\.q................x....'.........f.1.......Xz.....).uX...;\....)..J.L.#.....G.An................{...........,......T...s.^.....c.....s............. ...#.X..7..^...}.hW................................`......"....TT.....X....e........I..............@............N..7.7.....D.(QIkj\....[.....m...........1.&..t...........T...........6.......................a........&.........V....k....N.....e....1.K.....1.E.........n.......lL'...........j5....s..................a.g......uSx.......;.............>..........D....a....v%......Z.........B....qk.......S....?N...../...Gk..........B.......&...*..8w...e....`.........f.....e......Q..................;.

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Humus\Hakam.hrd

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	4180
Entropy (8bit):	4.9321374408025465
Encrypted:	false
SSDEEP:	96:48Ez2ekD6/CkklLdgw/Hk4hHe1egefyK2WP3d+lw/6olYP1eI7:/EK4/+uwHk5DeaK2BW6rcI7
MD5:	568E524C05FD8EE41882BBC14464C6D3
SHA1:	8130F25AD135621E2F451EFD20A3B180C01A3F66
SHA-256:	D923009286A94EA38855A2BADF858969428C2DA0E65AC3DAE8CB886BF3EE2BF7
SHA-512:	00F9B3763CA9223002E421294A7FD69A9E9FFC2AF399F48226FDBB0523A82AA5C4E6DCFDCA073FCFA5B21DF8AC397D0F6701CB47D8750915D370B627927CC308
Malicious:	false
Reputation:	low
Preview:	.@...H..............\.....>...H.........m..\|dQ_...*JX..}='..........ctr.b9...N.........E......G.]..p.A.......H..Cq..........q....."..p.....6.E..k............I......A..5... ...:g..........].e.}.F.................B.g..@.......B.......j.B.F...l.............Y..I eq....z..j..../.J....C.N....^.?..........c...M.............9VS.k...A..]..Q..........@J.............c..............-k.;...8...\|.....um....o...@........i.?..='...c..9.........V....v..t...........D.......T-...........D...\....y.....O.....R.........u.............=......:Y..5....T....~..Nz....y...)..........{.....S..X?.........g.O..................`....p....;.L....u.............................d.nzC..\|...........4................N........C..............,..j...........5V................D...........u. `...E..?.......,...........w..7o........3......."..w..9........;.... ..K...f...............M...../.........._..........................................^............").(...........................z....K.O>....T.....}....x...

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Humus\Reallnsnedgangen241.sta

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	8230
Entropy (8bit):	4.9095691270975985
Encrypted:	false
SSDEEP:	192:ADjauT3yXT1VRXVkCGOeTC3WgdgTNb7dYSxs446HTXZG:ADjaZDFV7Hx3Wgd8b757k
MD5:	6E58E362553B5789E1069A0179B61372
SHA1:	99780077DCED2149B6BF80439172FF98DF8F90E6
SHA-256:	EF7907372F05F11488321AB0694B0C59BB487F9B8C87E6C7AD93D33C226EB194
SHA-512:	6FB5A47A7B8937D898FF58D4FC5ED7959AB10C9E3EDDF66585BE7FB011CF46AC7EDA4FDCBF81297DEB841DE807A3CA2A23C4B205C71CDDEF8D8DC87B1B15EFB0
Malicious:	false
Reputation:	low
Preview:	.....l.................}..m.............[....L..J.D.......$............n...................=..................9j...................v...................x..C.....o.{P.....]S._............#...B.....9.......[.........RB%P...............I...K.r..N...+.........V.{.....1..........1..........`.........O..._.......f.........s.....m.@.$.m............u..l;.............{.4ON.......1M....G..?........mE3....U......#....n...>%.........I.....n.._N.ao.`........co?..&......96.......t.8z..pa(.[.......c......r......AS...\|..........s^......U...............\|....u...f.s..V..............A..J...............~.5t`..............\|..B.q...b......Q..5....&...2........).{.E...8..............D.....'.....#......;.......5..`.QWr.K..u...........A.C?.....~..........d7..........Kri..~........b...l.....k.J.................j........5.........2.w.................d.........Q.........0.`^N.....K............?U..........;.".S.L....,...=...._....................fc...n...Q.................8.........a.s.........7.....

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Humus\Sonoran5.Fin

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	404216
Entropy (8bit):	7.599120760001494
Encrypted:	false
SSDEEP:	6144:VAroeZ4lykF1c21VPARc0PSN88MbZmtaB7Y5G0Px4NpQqKPSdrEnxMGwkG8P3Usn:VArogB21UpSFMz8s02Npjdo6G9/Usn
MD5:	CDF881DA1B168CBEC3619DD44BCB939B
SHA1:	41CD6AFE34626969BAF069CF0334ABADD36EC3DC
SHA-256:	D11D28DAC2B96527A92CA760A8A80BABDFE4CE6A77E1A4785CB7F61D7A2080C6
SHA-512:	3927702DE1EEC0EAAC51BBDF373EA57D2BA50092BEB1680FCD0361889AAD2AC794C8A15452D14C61B7967C058DC11F391D4BD77038E204D6C92F8FF9068BA1B9
Malicious:	false
Preview:	..S..6....5.5.....................L.V..]....!!..$....0.vv..............\\\...jj..........PP...........\\..................I.WWWW......"""..d..**.M...................====..55............=......UUU...........00...MM..............\|\|\|\|\|\|..............................................................RRRR.................................N..???.....................].............................................................I...0....................dd........................3.{{{..........ss.//..................u.....G.aaa.ssss....................ss...........................M.............[[..............SSS.......c..Z...............................M............ZZZ......vv.....l....../.............^^^^......UUU......z......jjjj....................'.............PP.........(.....8..Q.nnn..u....v....................2.........X..........(...........................J....1....hh....\|......_.....~~......QQ.444.....%%.dd........................tt... ..J.........................2.......@..D. .@@..

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Humus\Trykkestederne.dre

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	1767
Entropy (8bit):	4.936734149511583
Encrypted:	false
SSDEEP:	24:n4sZF5zb4UBKl2YkTL9us5GTtqBXclmjZk/7V91eIS9naSCKvDwoqjLpKk1Na:nNJ+rkvspOclmdkzX1L8aS70ouUaa
MD5:	9A172303DA4D5A6FFFA3583CD88A6848
SHA1:	A59F712638898ED08E235ED321B8F3033F32B324
SHA-256:	E99BB7DF5EA4A3983D7308A41630A8B1128A1F7E0E59B7F02511DFC71E67BDC4
SHA-512:	4C6755EA315DCA8868EA650CFAEE595D60B910A6829DF232CDDB617318BD81B40A8E407E5B5135A485EEDD76265A04A2FF75DBE656C5D216F1EF0672EAAF5631
Malicious:	false
Preview:	......]$z....Ak.....o.M..n..#..@.5C.......h..a......Y.......U....a..C...=x.+....."Y......x.......t...........(..........k...0@.......#...Y....(................".....k..... .........A...\|...q............!....d...t....../S......Y.Q...s...).......p.T.....".0.._..MY.A..............P.B..v......\|...0...0j........3[)./.........u0..M....._#.........z........*.`....;.........3..D...0..... ..`..............S.......H..y......v1..G...................................i...L).P..$....^....#........h_..........8#...[Qy............ZK..D>.....r......s.x.O.y!..H...........5....8....'.\|..........G/.:....2U=\|......P........>.......r....K).P..l..........(..KY.g......n..9....\......Pm..............r.........0....'................J.q=...X.d......S.......l.....}.[..............m.IX.....3......&.......1......s.....(.L...........q...4{.....w..]..."..Q.........L..;.....i8.............I.e...{....r....E.......0>...e.L.Rlg.......]J.r......i..b...=...k<.5......................w.....T...../........S...#-.

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Humus\Udlse77.smk

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	9445
Entropy (8bit):	4.921016570871312
Encrypted:	false
SSDEEP:	192:VTVWctVeruwskAXv0v/LLDkNpYl7R/OuR6CHkm/EpRGtfMCzYaKN/:2ctsTCf0r0LcOuR6CHv8VsK
MD5:	852509E2C3FFFA729FDFFCCFE066CDB4
SHA1:	F1C2F850464412285FF92F72613CA9442DB734E8
SHA-256:	FE87AC62DBC45B792551492C09613DB3F2831185F6E7A33CE5617BB0E59E3FA1
SHA-512:	B4C1542FD567D265BD78DF03691051D874EF6CD8FE6D29AD418C7DD766B7067183AF5608E9F15941515B0E7846215399AF33DD1FACDF0BAB966764B6CA377CD1
Malicious:	false
Preview:	.DoW.....9......[.......#)..9e...U..........x...7..QlJ......`...x....5..j......5..V...h..........T.B......Q..r.....=....:..@..[...=.t....9.o...E.....{m..i[.4.L..c......w.............z........~..'...Y.........XM..[.(........A...................t.C..38`...l.&&.o.A...........>.....EP....(...z%......p....w8......aV..........................g.......qp....G..a........`.....`..W.....y....8......\..........O...F=..e.t.....8.....m............ax.-...........w........\........B......c....sN.......C^.....A....4..l......&a........m...#..s"......IV......E........4l.$.]......p....N.....2%..9...)....W..........................k.......4...y................o...........#........K..R...../A........-..=....d...g]......[...[2.........y...;..C....5.-....e.......<r........V.....T....4..^...c...;.]........_...^.'D........?..z.....lQ.,=......<...Y.}e...$..X...xk...o........#..LL.+.......\|.................^...........3.[5..{.V.ly.... ............p....y....O.....%....#......>.....8...........%..

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste\seksturenes.sem

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	10676
Entropy (8bit):	4.902534302182149
Encrypted:	false
SSDEEP:	192:RmN6YZxvgXhbbZhe6/PK5X1937sCfOh1ZGXerBUfk89HHWva2GkzypGBnaRKb:QNLxvgXhXZhh/PK5XH3QukzGOrBUfk8m
MD5:	2B83BF46A89D65CF762BDDC2C38E9E7B
SHA1:	E59B337AC20C43CE7F4B486C38486F8912C98789
SHA-256:	624B10DFF501106FD6297B70FAFB3505DD1AACDAA29D895E72A0AE77CA0FAB90
SHA-512:	6C217CAF5D9A5F679C6E4904904B0B19F11C8A42547056442783F32CE73723FDD4F159127D38ACC34CB3A91A3553FF73159ED895ED89E5A264426154F512AF97
Malicious:	false
Preview:	...........).}v..........c.Zr.......-..o.......}......._{........y.]m.i.................c....^>...........N.p.....y....O\|0...O....................\|i..,..........D9....Y^..N.^............o[....8.J......................T......A.<.>.s...H_4...+...........D....1................ ......r..........O.5...............5.b..9......&..].........M....t.....C...............;...........!...g...#..........!.DwV.........sm..~..e................r.:........9..y.5..(N>.....6..........o.........\|i..................R.4...I.?...w.M.....B.C.................... ....3..<..}........................0.1c...x..............w..................[+#n.....^.t...d..._ ..v...Al..........(.........U....<......................F.q.=.D........&....T....,ey...[~?....x........................D..........&...>..]......7m...jNJ....V........B..............E....:......\..,.\|.........;........=.=.....b.....n......\.a.T...............V....c...k.........:.>..r....C..];......0..J...............vxX../......}..M.....f=...J...o

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste\stonefolk.mor

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	11037
Entropy (8bit):	4.8737997168752125
Encrypted:	false
SSDEEP:	192:5D/P9kefPUbCijjBw/TI5F44EOvex8O5+2idKNr1k7PKTf0YsBcCfPdlEjQM/:tP/fPU+ijoQF44EOGuO5+2VNre+L0YkI
MD5:	BD2878F5871E874FA3A7C037048F7C3C
SHA1:	DDB784273BF208161E10C930EF94788F42C1E4BD
SHA-256:	A82D5E28FF5C786801A0D526DB840EE3452B74274C0D95A37C9A7180E0859D87
SHA-512:	35CD9C96334787A3D0168367FB27714339FDBC9F3107F81B2197730BF7B496D038B2D617F4F6C6F6D1A4B2C6375C9C36732AF715E88B7F5CB2FA69516868CD24
Malicious:	false
Preview:	...n.:...}...p.....V.S..........'...9+........(......W...<...I2.......A...`....>.x..;...B...O...X..%..............R..........~..T....3@7..$3..$.wc5.1....<.....%..6b...........%.?..7.....e.r.$.... .......6t..........~e..9G.K............[...9....Z.^.......8......l........\.............#.&..S..9.C.......j.c.......N.....S..\.......T....'...&.\|...a.....4......`..........y.s...z..=W..8....l......q......m.c..............tK....n.L..d............/.....L......#.......k.]........I>........3.........M.....C...8.d..c....c........(m....Ck..H....e.............X....G.....r...I.....8.....................,....._x.........p5......e...\........A.~.....8........V...&............5....".......#..x-.K.....>.......~.."....ZU...L...A.....Jn...:.............&....Z..........V......a.a................=....6....\...c...u.......X4..........kv.....].....e.............{...5..............[...y......m....7...j&...1$..!O.6..0#...#............W...............................G................~K]:$n.........

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\noninstitutionally.ski

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	1724
Entropy (8bit):	4.665955956980643
Encrypted:	false
SSDEEP:	24:ZsK6DXm4O/SIzh3T3DcW9kjioek2kiE7I8JLEXIcfpy3gILbHLEyoUQll:ZX4O66cykxGE7rEIuIv/oyoB7
MD5:	509F09BC859F53A5D728B23EA140EAB6
SHA1:	99E6E1EFE5EB129B608E81F90B0109EAE1763D31
SHA-256:	FCC5D4A2E0881D23F6C696DFB854B0B348FB552C4CF6B001C2B2594F14E7F499
SHA-512:	5C9CE0916D77DE0D51FCF90DCD25144B679B5827074ACBE2C74D862702582B6001A201540D5B00F07AFCBB1FD1908C1579D2B05B69A85C4DACFC1E7274711AB9
Malicious:	false
Preview:	>....74....$.........^...A..N.A..................{..b........q.;....U...........i..k..4.>....Y.-...7.....'......a............f...lB....(.............Cf.O...~......r,...R#.....5...........%...2...........G.............$.......v...M.e........`.E..O..}....g.............._..ai......e....}.J....\|.........l.........p..`...6......d...1....................\.......uC....o.J......#...........5.....wm.n.W...<....3\..8.....{....1.%......T..b.................,>....S........#M......3.........:......`....................d...........w..x.V.T...............].../...............L..............[.(.......{.. .....b..............E....\..z...\|.."..z.............m..........f....Y.........@.............T.....r.............+3........1.....w........b........!...LW.........$L.......8...U.h.6..........%......6.g....f.!.Z..............e...x........#..........&6.....................)........0......&.....X..........o........".M..h.1../........../.$....}......r....8.........8..M...Z...D.......y.............

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\pulpwood.int

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	13161
Entropy (8bit):	4.9126755870483
Encrypted:	false
SSDEEP:	384:X1AiZV4bKGFvytAAQTi5hMU708wbHhzCiFel:llXGFy9D4HJ3K
MD5:	6D9C825C8AE36D64EEF435461CE73532
SHA1:	4718C6BE7780A611D9A88E99EFFE5DFF487F9BEC
SHA-256:	00D99DD2F1D3196580D52247D1D45605DA3F5EE2893BDE0B6855DD10E63A7569
SHA-512:	B8E8BF5E1872D3981629D6747C21AE4634628792997C9322C0088251D47FCB83A516D6DFF3C694D0134EB9BA77EC7D7BF3B09994EC9ABED01554637AEA6F4DA7
Malicious:	false
Preview:	...n.....V..s..1..5........E./....:...`..}......c.<..........l......I..]...9.....S(.U-............q............+.....d.3......u....c.....]$..r.......}..PL4...........e.3....o\..X..........................s...fk...........@...........s..............\..2..............;.......Dh...........?.I....x..l......................x@M.......X.......u.k.......n.....l...Q...d...lG..?..(..................I..........T..........`:e.....]....!.......g......m...R.......{...S..q..?..................v........_..$......~....&.w.....$...\|...........f.....T......I....6.....u..............C........G.%....".5$... ........B...3..k.......~......=........!..o.........O.....!.....R.C.....4.............g_....G.........P...x....+.!.h....Gu......v......Q.X.......x..N/...q......@.L/...............".<*..y.v.c.......E.........}.>w...X...+.;......P...%......(..3.......f..............R..V..............w3...o.N....d.>........$....i..~.......M......%.........X.....{......./...6^..........v.u....$......Q........q.

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\aerosolens.red

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	7123
Entropy (8bit):	4.932139967662198
Encrypted:	false
SSDEEP:	96:cAbrH6fD8NbUwBsatM8DzRcRWXqUrDcML+Cf+5arV1lSRiHzLUlkLBj4I1Xk0:tLeD8BDmRlAHlnlS2LUkuI100
MD5:	D81EC25A5BEE5D384868B24A6A8C663F
SHA1:	F131AB88175DAF4039D860FEEEC4B1A6D21E121E
SHA-256:	2C11D49A6BFB47ED8197A18DED9282686795BAB7E2F09B7B127917C88269B206
SHA-512:	2BE940E42C70C592B2F9C3637F56851BFBBB8FAB5539D51E04C3ED2E15E76E88562D176B234739C8EEA3F438D328065E471077C278A2DACE8AF2FED02CE7C6A9
Malicious:	false
Preview:	.U{........;..........T.d........s.......U.......n...\.......RI........~.'.......x..........#-...+...1^...j'L?B.."[............(.3...pXii..1I^.d..f..f........\|....7.....1q....M_....F.............................u...<....5...(...~....d...................\..q..F...d.j\|r............q.+..........d.L4..h......C....p....X.............`0.0.................hd.........z...2.k.............d....k.....l......7..........l..r......................R4h.Tx.R`..U......L...b-(.x.........uNn.. ..l.K:.3.....i......./......i..}.;.L......p...o.......1....r.b....]...1.`...\.>........%.......E...K....5....n..=I.........c..%...........a..-.!...n...............`<}.E..w...........4R...................I...*..g..,E................"...........j.."..!..@......`..............w.2=.c......-<.....1.x..(..........y.U:.........M.....W...............>......T..S.Q1..)D.....h..................Z..y...y..<.....0...^.S..........g..6.u..........r.X.......].!..\..........+..... ...J".-........=..7N.0.......(.........i.

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\andantinoen.str

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	15098
Entropy (8bit):	4.909030925775806
Encrypted:	false
SSDEEP:	192:fNq+2AFf73C5TP3cahnwy2G6kZhcm/bA/wdY1Z6+gFIDsPkXL4AQLd0hge1g3:ff2+u3wqbculuL949y/y
MD5:	74779824ACAE1E1C870095C780405054
SHA1:	DC4C932288B739DD1345D7BF64A683750BEE2C4D
SHA-256:	809FDA512937EF4C6BC58C22C47993DFA100AE4DF56C8B0A14CB759A40E6EF62
SHA-512:	DCCC9248E22CB16BBFDF7985F116F599EB97A4B63CCF8203276C600765648062C59238BE409B18E9C9F09840E80451F3CF2F59CEAE5B8D098C38BC5E399F4474
Malicious:	false
Preview:	......u......z.'H...._..?.R+........;.!.J.}u.Y....E...].....?i.5...J.........L....m......y..-8.....c........~..............[J.........-.........../.h........A..........H.................V..........1.............S................Ic.:...\| ..hf.;...l..FP.........[....DZ.R....a....A.&...`.O...;......O..`....5...~...?].....<........>.....T.X....T.C......O...[\|............d........ ..wb~..._...........\|Z.$....................>...."K.........,...............K.G.S..............k.-....c.....5..........s....^.P%c1..(.......O..;.\|]..&................_..Gh.7...r.........".h@V...2.@.+.g....j4xT....}.......'............v..........#.i^:.....3....}y.................=...........q......M..2.....3.......................^.....X=.....?_....7.....0KW..%.F......3)d....+.......k..P5.}..d...x....9..X.g.........y..T...4?..i..I..II....6.......:.N.;....m.._...............i......."......QFg..w..................x.<..../I...7.............9....P..........F.....';.......A..3..2.............b.`.....0........

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\complainant.pri

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	3930
Entropy (8bit):	4.785707533776321
Encrypted:	false
SSDEEP:	48:eYGsZJaswkWb5y5SwsmAeeiVSRG8fcl6FH7tSVlPgc6pcAUkWz+CaN6wm0uln:wwaqEy5SwsLeeicgAcl6FbIVucAUEFq
MD5:	F4F390C25CFBB9F86EDAD76C437F6571
SHA1:	548390DEB8C7A5021676CB1E0C03FC6AABF89B98
SHA-256:	AF12D990703C8FC341CBF9FE7F5B51938408D5FE48CA388DB39BDCD35EDD90D3
SHA-512:	47F0520EAFA72308B188099F796E9713A4CFCDEA9BBBBF523136A371AEA3D4D167F3467708CE9EC6D82BC09862DA7D5BD122CB183796E948BCAB41665D07238A
Malicious:	false
Preview:	...;..............I..\.....z............B..........m............XA. ..w(X.........>............1.g.................."...8.....Q.."........g..K....2..@............L.......aT......X.....3.....4...............g.......Y.......}...........R:0v..r....t....#..P.....k.+........{.^............................{t2......k...3...g..\.-...s.......`.[Z..............P..$A.............b..............?...\.......aP....Bi.............b......^.?....6.Z.k...3.h..M..'.[..Qs......Is..i....Z....r.m........v...o...h@.......@"....t....]E..n....S....m..................)..................f.....B....)..W..........d......?....7...........o...k...&....\.....4.b..f....S.w.i.......~........04...Ch......j.T.!}.................p....{.-..................b...........m...J.....k../.0d..........B.Z{MwV...{.........T.-............6..........l..)Ag..4....:...8.R....+....e...;..............................Q..C...........}..x..?...x......)..N..........H......c.(..x..>.\.............uv[.H;m..."...:...f....5..$.!..

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\divisioner.par

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	OpenPGP Secret Key
Category:	dropped
Size (bytes):	11048
Entropy (8bit):	4.872168059153243
Encrypted:	false
SSDEEP:	192:dZ0sW/87yXEweaM8tpic2SGGfMIyUlj0wggbxIrfmsxiS:dZ0sw87zjBspic2SGGR1lj0wgoxI3J
MD5:	7721863171BA672F3F660981C836E35B
SHA1:	6F7A2C0D30D51CA6B31F0FCC803D58100D1D54BE
SHA-256:	290F31B8FB70C5E745918DF19CF3A2DD3E7D368A2BC5D9C79611D004AB2AC9D8
SHA-512:	0474541FFE562D37BB638EA5500189F4E093E59A6CE8F4039E1BDD4FFB4EF7CBFA18D6850F81DA416DCF91BA40836C73684BE405091708351F5ACD00DD27CC3C
Malicious:	false
Preview:	.^.....H..........Q..C...........5...>.....6`d.................h7..@...v.......O........'...:....y......".....D.<......p.....)...........1.....x............~..........m......'.4..Y..s..a.,.....8.......{....................,.....f.g.............j.+q..=....~.................A..6..kN.....w.P...E....................P..S....6...P,.\.....X........."....."....7......................7........-.....5F%C..~H.........[^........C^......h.B....6o..-.gj......u.F...r...!.Xb........h.....,'......$..b............>t...X.x...vh..........5...y......A.y...y...Q...@......O......v.......W......2...I..............1b..a...?......v\.......v........ ........M.4........ .-6+.......\./.........G..........k..h....Z.=..........X....N.............+........u...............=gE.r...........w.......F\...............{....5.......:.....b.......".......k.............d.(..i...Q.....<.....a.j...C........<....b..........Z........................~13...^B.......#....z6..R...a........Ny\|.......\|.....z..c..Y........)

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\hyperalgebra.txt

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	592
Entropy (8bit):	4.204861403479884
Encrypted:	false
SSDEEP:	12:PjO2xFPAeLUzV3ByBRCs+4LlMvJLHYEEHaBAH2s2N+k/+IQI:PiOF3UzlByBRCsVGtYEYWsY+E+IQI
MD5:	8097E08408C796656D6FBE5B4011609A
SHA1:	234444944CBE5C50C7DC38FD51C565CCA3276164
SHA-256:	24677BD64BDFB8D904A096D013232993C005856ED59AA5FFBE504EB4F761CD75
SHA-512:	127264BCA9489E3CEF728204AA128E705730513025E8B7E0F8464ABE5D0EDEE3FC8D5043E4DA7D8A67A3A115AEF7237BC04C6CD5CD956923AFC1921FD3D29638
Malicious:	false
Preview:	gasterozooid blottedes undershrievery reorientation konsistoriemedlems dokumentdisketten brevstemmende defilerede studiekammerater forstuvelsens..metastrophic kabiet serb aflbsrens ordmnstrets simulatoropgave tholes,frygtlse cloudlessly fylderiets kpheste isabelles unsalvageably appelerer optics infralyd theligonaceae suspensively..snerp separatkabinettet paralegal xenofobiernes chervante stivelseskorn achromobacterieae,brygmester brevaabners kontraheredes pullulated musketerens studentereksamener poliad,underarmsmusklen askorbinsyretabletten backtracks stvises termcap kinoorgels trog.

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\jaqueline.bow

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	data
Category:	dropped
Size (bytes):	15062
Entropy (8bit):	4.9357451772131204
Encrypted:	false
SSDEEP:	384:pl7QxurtO8pawzlNSBjw6YhtRK61R1f7W0:P7QxuhO8pawgwXR1TW0
MD5:	56013432CE9F5F20196ED4D8766EB72A
SHA1:	4DF3B7CDFFD65DD9D14BB212080C608703906554
SHA-256:	71341213976B73E52A10998CCB06599C8EDC6E7D12E3338927FE56E5DABAE760
SHA-512:	C8BB9713C4E9B7CB95C452FA8E112B0C11A92F7C3661D902E50B51552981AB60404E5D84FB3CFC7B4794963C06E3B0E73892794CDAAF95846B8B67B838AE384A
Malicious:	false
Preview:	....u..p...!.ht~.......L................/y...................G8.....R..}.......;..............%...-.......L.?.b......................'3S......P.#..F....&...v.B.I.....H#........q......7..........d.o....fA......B..T9.........7....y....>.....>............}...........Q....h......_......F.V.CWA.........~..f....K..........................n............C.)...l../......9.....,...........a...$.......p....S........x......-....... =...A.....4'.S.~../t..Mm...........[j..7........f..c....s........._.............. ...5M.H.pW...../........=....}........'d.....Z..7..........;....^....l...^............8............:....4.........R@^........U............@.........~...Jh..Qf.{..i...n..........a.. .....D.......a.............z......@m../.ft.........^.........d...H......#.......-._...$........._...a...................................E...........R.?........Nn....1.........R..>.E...J..........j...........]........#............3.\|...........Y.2.J._cH....7T...........1.~..H..."u.....\..........u.

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\macroconidium.fan

Download File

Process:	C:\Users\user\Desktop\ulACwpUCSU.exe
File Type:	OpenPGP Public Key
Category:	dropped
Size (bytes):	13588
Entropy (8bit):	4.923594985159061
Encrypted:	false
SSDEEP:	192:JwxK7lxC6+88oXtWeJvBdfUW8aZcrZFb0IDAeXBZ3QHju4LEFdTKUAZNW:Jd+6+88neJvB78aiZZDDXBZADu4LaSZQ
MD5:	A1BB2C0226A81753C3C2F6FA6562B6F3
SHA1:	EDC6ECAFA090B95F7B4A3E3B26A6A4E5539D932B
SHA-256:	F89E9A19B6D6A219D9AAC39623DC5C30CFEA6519CC7376E18656A5A7C999DC53
SHA-512:	26695DBF9FDE77625A12BE1F12797DF821B8B20204D4BE58D5E43E27159908D7AFBA4ADAA1B39438D931C076854877B3008A4F12CE984053C877D5C89E15F000
Malicious:	false
Preview:	..........W.......(..........Y.Ir...G.........z.#..>%...#........t..v+....3......ug\|{K.............f.7...............8.........N$...............................C....<....P..b............o....(R.d.._...x...2.............b..>...j........^..Q..p...)....&.....&....S......A..<....X."...%....f)......O...........f.{...)................m.....!..M.J..e..8.............._..<.~.X...Y6..../........x....Y.a..,....................5....k9................B.......A...............t.......m.....?.....aU..V..'........v..C.N....=+.D...{..?f<...........(.&..z...~.....8...^...Z..x.......;%H....r...j.&..........'........h~......t.f......3...............=...@.7.......\|...l.......0.......y.N...w..........l....Z...K.\|.....................-...TS.\|.O..4.x....;........Y..E...............Q............k.l.../..?82....................F.....^.N...X\|....@....8.(........U.(.......t......a.........<?..w....4.e..5....,............../..y..Z...i..P(.....`.^.......'......G.}.....\...............8..F.........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.9509411156021095
TrID:	Win32 Executable (generic) a (10002005/4) 92.16% NSIS - Nullsoft Scriptable Install System (846627/2) 7.80% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	ulACwpUCSU.exe
File size:	627'775 bytes
MD5:	b6f8b1c89399490857facfcf5bb78d86
SHA1:	898e59e55c027c47833f435fff28ed20da9ecdc8
SHA256:	c4c7ed9360322bf463828c0e86a131a081ecc700fe32dc0215d392251771a6de
SHA512:	5b1539c96bfe2e04844dcceb36cfe5f9891b45e8fa0419c5ba80deca6624912717949a6650e364ce467fa777803fa87768eb923db7f2c82d3d671f5e7f398095
SSDEEP:	12288:2K9/JmMgq+TiZFJVsTej3s1XmPUMLyAetbdrjkcifO+aMs+s:tj+TirqejomPUzNVZkcirass
TLSH:	3AD422A263D1C06FE055677AD9A2D7FBE1159C66D836470B2F117FBA3C761038E0B222
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....\.U.................^...........2.......p....@

File Icon


Icon Hash:	4740490d27a52145

Static PE Info

General

Entrypoint:	0x403217
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x55C15CE3 [Wed Aug 5 00:46:27 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	59a4a44a250c4cf4f2d9de2b3fe5d95f

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push ebp
push esi
xor ebx, ebx
push edi
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 00409130h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [00407034h]
push 00008001h
call dword ptr [004070B4h]
push ebx
call dword ptr [0040728Ch]
push 00000009h
mov dword ptr [004237B8h], eax
call 00007FE6B4522F7Ah
mov dword ptr [00423704h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 0041ECB8h
call dword ptr [00407164h]
push 004091E4h
push 00422F00h
call 00007FE6B4522C24h
call dword ptr [004070B0h]
mov ebp, 00429000h
push eax
push ebp
call 00007FE6B4522C12h
push ebx
call dword ptr [00407118h]
cmp byte ptr [00429000h], 00000022h
mov dword ptr [00423700h], eax
mov eax, ebp
jne 00007FE6B452017Ch
mov byte ptr [esp+14h], 00000022h
mov eax, 00429001h
push dword ptr [esp+14h]
push eax
call 00007FE6B45226A2h
push eax
call dword ptr [00407220h]
mov dword ptr [esp+1Ch], eax
jmp 00007FE6B4520235h
cmp cl, 00000020h
jne 00007FE6B4520178h
inc eax
cmp byte ptr [eax], 00000020h
je 00007FE6B452016Ch

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x73a4	0xb4	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38000	0x2b6d8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x7000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x5c3a	0x5e00	e5e7adda692e6e028f515fe3daa2b69f	False	0.658951130319149	data	6.410406825129756	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x7000	0x11ce	0x1200	5801d712ecba58aa87d1e7d1aa24f3aa	False	0.4522569444444444	OpenPGP Secret Key	5.236122428806677	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0x9000	0x1a7f8	0x400	cc58d0a55ac015d8f1470ea90f440596	False	0.615234375	data	5.02661163746607	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x24000	0x14000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x38000	0x2b6d8	0x2b800	b6d42514c2cc09fb8e6265d6a2c193e7	False	0.9366244612068966	data	7.857509251924338	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x38418	0x18ef9	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States	1.000401421619981
RT_ICON	0x51318	0x833d	PNG image data, 256 x 256, 8-bit colormap, non-interlaced	English	United States	0.9935410899782718
RT_ICON	0x59658	0x350c	PNG image data, 256 x 256, 4-bit colormap, non-interlaced	English	United States	1.0008100147275405
RT_ICON	0x5cb68	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.6025933609958506
RT_ICON	0x5f110	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.6329737335834896
RT_ICON	0x601b8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2304	English	United States	0.7006929637526652
RT_ICON	0x61060	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1024	English	United States	0.7924187725631769
RT_ICON	0x61908	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1152	English	United States	0.5280487804878049
RT_ICON	0x61f70	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 256	English	United States	0.7109826589595376
RT_ICON	0x624d8	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.7225177304964538
RT_ICON	0x62940	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 512	English	United States	0.6854838709677419
RT_ICON	0x62c28	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 128	English	United States	0.7263513513513513
RT_DIALOG	0x62d50	0x100	data	English	United States	0.5234375
RT_DIALOG	0x62e50	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x62f70	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x63038	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x63098	0xae	data	English	United States	0.6264367816091954
RT_VERSION	0x63148	0x24c	data	English	United States	0.5255102040816326
RT_MANIFEST	0x63398	0x33f	XML 1.0 document, ASCII text, with very long lines (831), with no line terminators	English	United States	0.5547533092659447

Imports

DLL	Import
KERNEL32.dll	GetTickCount, GetFullPathNameA, MoveFileA, SetCurrentDirectoryA, GetFileAttributesA, GetLastError, CreateDirectoryA, SetFileAttributesA, SearchPathA, GetShortPathNameA, CreateFileA, GetFileSize, GetModuleFileNameA, ReadFile, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, CloseHandle, GetCommandLineA, SetErrorMode, LoadLibraryA, lstrlenA, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GlobalLock, CreateThread, CreateProcessA, RemoveDirectoryA, GetTempFileNameA, lstrcpyA, lstrcatA, GetSystemDirectoryA, GetVersion, GetProcAddress, GlobalAlloc, CompareFileTime, SetFileTime, ExpandEnvironmentStringsA, lstrcmpiA, lstrcmpA, WaitForSingleObject, GlobalFree, GetExitCodeProcess, GetModuleHandleA, GetTempPathA, GetWindowsDirectoryA, LoadLibraryExA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, WriteFile, FindClose, WritePrivateProfileStringA, MultiByteToWideChar, MulDiv, GetPrivateProfileStringA, FreeLibrary
USER32.dll	CreateWindowExA, EndDialog, ScreenToClient, GetWindowRect, EnableMenuItem, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, GetDC, SystemParametersInfoA, RegisterClassA, TrackPopupMenu, AppendMenuA, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, DestroyWindow, CreateDialogParamA, SetTimer, GetDlgItem, wsprintfA, SetForegroundWindow, ShowWindow, IsWindow, LoadImageA, SetWindowLongA, SetClipboardData, EmptyClipboard, OpenClipboard, EndPaint, PostQuitMessage, FindWindowExA, SendMessageTimeoutA, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, ShellExecuteA, SHFileOperationA
ADVAPI32.dll	RegCloseKey, RegOpenKeyExA, RegDeleteKeyA, RegDeleteValueA, RegEnumValueA, RegCreateKeyExA, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	CoCreateInstance, CoTaskMemFree, OleInitialize, OleUninitialize
VERSION.dll	GetFileVersionInfoSizeA, GetFileVersionInfoA, VerQueryValueA

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	08:09:01
Start date:	04/06/2024
Path:	C:\Users\user\Desktop\ulACwpUCSU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\ulACwpUCSU.exe"
Imagebase:	0x400000
File size:	627'775 bytes
MD5 hash:	B6F8B1C89399490857FACFCF5BB78D86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3857034302.0000000005525000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	20.7%
Dynamic/Decrypted Code Coverage:	14.3%
Signature Coverage:	19.7%
Total number of Nodes:	1473
Total number of Limit Nodes:	42

Executed Functions

Function 00403217 Relevance: 79.1, APIs: 27, Strings: 18, Instructions: 337
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

#17.COMCTL32 ref: 00403238
SetErrorMode.KERNELBASE(00008001), ref: 00403243
OleInitialize.OLE32(00000000), ref: 0040324A

Part of subcall function 00406061: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 00406073
Part of subcall function 00406061: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 0040607E
Part of subcall function 00406061: GetProcAddress.KERNEL32(00000000,?), ref: 0040608F

SHGetFileInfoA.SHELL32(0041ECB8,00000000,?,00000160,00000000,00000009), ref: 00403272

Part of subcall function 00405D36: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405D43

GetCommandLineA.KERNEL32(00422F00,NSIS Error), ref: 00403287
GetModuleHandleA.KERNEL32(00000000,"C:\Users\user\Desktop\ulACwpUCSU.exe",00000000), ref: 0040329A
CharNextA.USER32(00000000,"C:\Users\user\Desktop\ulACwpUCSU.exe",00000020), ref: 004032C5
GetTempPathA.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020), ref: 004033C2
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004033D3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033DF
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004033F3
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004033FB
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040340C
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403414
DeleteFileA.KERNELBASE(1033), ref: 00403428
OleUninitialize.OLE32(?), ref: 004034D6
ExitProcess.KERNEL32 ref: 004034F6
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu.tmp,"C:\Users\user\Desktop\ulACwpUCSU.exe",00000000,?), ref: 00403502
lstrcmpiA.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop), ref: 0040350E
CreateDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,00000000), ref: 0040351A
SetCurrentDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\), ref: 00403521
DeleteFileA.KERNEL32(0041E8B8,0041E8B8,?,00424000,?), ref: 0040357A
CopyFileA.KERNEL32(C:\Users\user\Desktop\ulACwpUCSU.exe,0041E8B8,00000001), ref: 0040358E
CloseHandle.KERNEL32(00000000,0041E8B8,0041E8B8,?,0041E8B8,00000000), ref: 004035BB
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000005,00000004), ref: 00403614
ExitWindowsEx.USER32(00000002,80040002), ref: 0040366C
ExitProcess.KERNEL32 ref: 0040368F

Strings

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste, xrefs: 004034B3
C:\Users\user\AppData\Local\Temp\, xrefs: 004033B7, 004033BC, 004033D2, 004033DE, 004033ED, 004033FA, 00403406, 0040340E, 00403501, 0040350D, 00403519, 00403520, 004035CF
TEMP, xrefs: 00403407
\Temp, xrefs: 004033D9
", xrefs: 004032EA
Error launching installer, xrefs: 0040348E
NSIS Error, xrefs: 00403278
"C:\Users\user\Desktop\ulACwpUCSU.exe", xrefs: 0040328D, 00403293, 0040344C
Low, xrefs: 004033F5
~nsu.tmp, xrefs: 004034FC
`KXu, xrefs: 00403400
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403227
C:\Users\user\Desktop, xrefs: 00403507, 0040350C, 0040352F
C:\Users\user\AppData\Local\Temp\terephthalate\edderdun, xrefs: 004033A7, 004034A8, 00403527, 00403530
1033, xrefs: 00403423
C:\Users\user\Desktop\ulACwpUCSU.exe, xrefs: 00403589
SeShutdownPrivilege, xrefs: 00403626
TMP, xrefs: 0040340F

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: File$DirectoryExitHandleProcesslstrcat$CurrentDeleteEnvironmentModulePathTempVariableWindows$AddressCharCloseCommandCopyCreateErrorInfoInitializeLibraryLineLoadModeNextProcUninitializelstrcmpilstrcpyn
String ID: "$"C:\Users\user\Desktop\ulACwpUCSU.exe"$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\terephthalate\edderdun$C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste$C:\Users\user\Desktop$C:\Users\user\Desktop\ulACwpUCSU.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$\Temp$`KXu$~nsu.tmp
API String ID: 4107622049-3445031682
Opcode ID: 0e0f6a3637583670758f503623c3da15b8d87b56266dba0afd803753b1801d7b
Instruction ID: 3d26bb40307c87b2cd60c260c775e6d0301d96a10e68b952128d49a18977981a
Opcode Fuzzy Hash: 0e0f6a3637583670758f503623c3da15b8d87b56266dba0afd803753b1801d7b
Instruction Fuzzy Hash: 85B107706082517AE721AF659D8DA2B3EACEB41706F04447FF541BA1E2C77C9E01CB6E

Function 0040515D Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 004051BC
GetDlgItem.USER32(?,000003EE), ref: 004051CB
GetClientRect.USER32(?,?), ref: 00405208
GetSystemMetrics.USER32(00000002), ref: 0040520F
SendMessageA.USER32(?,0000101B,00000000,?), ref: 00405230
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 00405241
SendMessageA.USER32(?,00001001,00000000,?), ref: 00405254
SendMessageA.USER32(?,00001026,00000000,?), ref: 00405262
SendMessageA.USER32(?,00001024,00000000,?), ref: 00405275
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00405297
ShowWindow.USER32(?,00000008), ref: 004052AB
GetDlgItem.USER32(?,000003EC), ref: 004052CC
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 004052DC
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 004052F5
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 00405301
GetDlgItem.USER32(?,000003F8), ref: 004051DA

Part of subcall function 00404021: SendMessageA.USER32(00000028,?,00000001,00403E52), ref: 0040402F

GetDlgItem.USER32(?,000003EC), ref: 0040531D
CreateThread.KERNELBASE(00000000,00000000,Function_000050F1,00000000), ref: 0040532B
FindCloseChangeNotification.KERNELBASE(00000000), ref: 00405332
ShowWindow.USER32(00000000), ref: 00405355
ShowWindow.USER32(?,00000008), ref: 0040535C
ShowWindow.USER32(00000008), ref: 004053A2
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004053D6
CreatePopupMenu.USER32 ref: 004053E7
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004053FC
GetWindowRect.USER32(?,000000FF), ref: 0040541C
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 00405435
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405471
OpenClipboard.USER32(00000000), ref: 00405481
EmptyClipboard.USER32 ref: 00405487
GlobalAlloc.KERNEL32(00000042,?), ref: 00405490
GlobalLock.KERNEL32(00000000), ref: 0040549A
SendMessageA.USER32(?,0000102D,00000000,?), ref: 004054AE
GlobalUnlock.KERNEL32(00000000), ref: 004054C7
SetClipboardData.USER32(00000001,00000000), ref: 004054D2
CloseClipboard.USER32 ref: 004054D8

Strings

Supersuspicion Setup: Installing, xrefs: 0040544D

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendChangeClientDataEmptyFindLockMetricsNotificationOpenSystemThreadTrackUnlock
String ID: Supersuspicion Setup: Installing
API String ID: 4154960007-3553124451
Opcode ID: 3e6425cd8027a1822d7c02b399c2ff8f99ecd6318ec4cf5a11e34b93871bf819
Instruction ID: 24acf85f457993e5d1a00f4a74fbc0a00d7f38a893508f9c9f1f5035b4e63235
Opcode Fuzzy Hash: 3e6425cd8027a1822d7c02b399c2ff8f99ecd6318ec4cf5a11e34b93871bf819
Instruction Fuzzy Hash: 5FA15BB1900208BFDB219FA0DD89AAE7F79FB08355F10407AFA04B61A0C7B55E51DF69

Function 00405D58 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(?,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,00405057,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000), ref: 00405E09
GetSystemDirectoryA.KERNEL32(Call,00000400), ref: 00405E84
GetWindowsDirectoryA.KERNEL32(Call,00000400), ref: 00405E97
SHGetSpecialFolderLocation.SHELL32(?,00000000), ref: 00405ED3
SHGetPathFromIDListA.SHELL32(00000000,Call), ref: 00405EE1
CoTaskMemFree.OLE32(00000000), ref: 00405EEC
lstrcatA.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00405F0E
lstrlenA.KERNEL32(Call,?,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,00405057,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000), ref: 00405F60

Strings

Call, xrefs: 00405D7F, 00405E51, 00405E6E, 00405E83, 00405E96, 00405EB2, 00405EDD, 00405F0D, 00405F13, 00405F2B, 00405F3E, 00405F59, 00405F5F, 00405F6A, 00405F94
Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll, xrefs: 00405D87
Software\Microsoft\Windows\CurrentVersion, xrefs: 00405E53
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00405F08

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-1820538080
Opcode ID: 4acb4603a534f03f61e1b5029561f8864cf9bf083dd2ad4547ff7456c33bf565
Instruction ID: 9c0e267699f90c8e910d98bdf84d4b8f2614ab6024826f89c9d009b20b1e8bc4
Opcode Fuzzy Hash: 4acb4603a534f03f61e1b5029561f8864cf9bf083dd2ad4547ff7456c33bf565
Instruction Fuzzy Hash: 10610571A04905ABDF215F64DC84B7B3BA8DB55304F10813BE641B62D1D33C4A42DF9E

Function 004055F6 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileA.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040561F
lstrcatA.KERNEL32(00420D00,\*.*,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405667
lstrcatA.KERNEL32(?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405688
lstrlenA.KERNEL32(?,?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040568E
FindFirstFileA.KERNELBASE(00420D00,?,?,?,00409014,?,00420D00,?,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040569F
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 0040574C
FindClose.KERNEL32(00000000), ref: 0040575D

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405604
\*.*, xrefs: 00405661
"C:\Users\user\Desktop\ulACwpUCSU.exe", xrefs: 004055F6

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\ulACwpUCSU.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3267523285
Opcode ID: 25106c92b3c871bc14427ef9fb8c6b07d152e7746fae866eacc9b6d331f36872
Instruction ID: a1a18f6d4a87cf364f513f4d5348cf8987bf6841df45d5f239a42b9e89fe31fb
Opcode Fuzzy Hash: 25106c92b3c871bc14427ef9fb8c6b07d152e7746fae866eacc9b6d331f36872
Instruction Fuzzy Hash: 8051D230905A04FADB216B618C89BBF7AB8DF42714F54803BF445721D2D73C4942EE6E

Function 00406310 Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 743aa33a108d29f9cab5e819e308a9554fb8e98817c33194d1e30fb36f92eda3
Instruction ID: 49e2905b870d629617cd54a3ad4ea64d750052a334705c7e6b68d35cedeefd19
Opcode Fuzzy Hash: 743aa33a108d29f9cab5e819e308a9554fb8e98817c33194d1e30fb36f92eda3
Instruction Fuzzy Hash: 28F17970D00229CBCF28CFA8C8946ADBBB1FF45305F25856ED856BB281D3785A96CF45

Function 00402036 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 132comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00407384,?,00000001,00407374,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040208B
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00407374,?,?), ref: 00402143

Strings

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste, xrefs: 004020CB

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste
API String ID: 123533781-1026180038
Opcode ID: 844d7db231ce930ba87aa91d55221135eb66824421c535283c4cff4e72d9e9e5
Instruction ID: 1053df79af30500630abfeafbcf843dcec04d0d4e3091bc204b5fde3a4f6985c
Opcode Fuzzy Hash: 844d7db231ce930ba87aa91d55221135eb66824421c535283c4cff4e72d9e9e5
Instruction Fuzzy Hash: 3B416D71A00209BFCB40EFA4CE88E9E7BB5BF48354B2042A9F911FB2D1D6799D41DB54

Function 0040603A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(?,00421548,Invaliditetsprocent209\indoktrineringen.rec,004058F7,Invaliditetsprocent209\indoktrineringen.rec,Invaliditetsprocent209\indoktrineringen.rec,00000000,Invaliditetsprocent209\indoktrineringen.rec,Invaliditetsprocent209\indoktrineringen.rec,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0), ref: 00406045
FindClose.KERNEL32(00000000), ref: 00406051

Strings

Invaliditetsprocent209\indoktrineringen.rec, xrefs: 0040603A

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: Invaliditetsprocent209\indoktrineringen.rec
API String ID: 2295610775-2173611331
Opcode ID: 1aa7e4dc1003f693668b82639e535814eeaefdc3a4332bebb0b1aa5890d42f5a
Instruction ID: ffb9975cce6792308ede9dbdbab0a2e32819aea082b360212a672f9e7c6ece7a
Opcode Fuzzy Hash: 1aa7e4dc1003f693668b82639e535814eeaefdc3a4332bebb0b1aa5890d42f5a
Instruction Fuzzy Hash: 7BD012319490306BC3106B787C0C85B7A599F573317118A33B56AF12F0C7389C7286ED

Function 00406061 Relevance: 4.5, APIs: 3, Instructions: 20libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 00406073
LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 0040607E
GetProcAddress.KERNEL32(00000000,?), ref: 0040608F

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID:
API String ID: 310444273-0
Opcode ID: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
Instruction ID: 2c1b19e4de550b622e70843c6ca25527790cfa0381149662c4593fbace01eca7
Opcode Fuzzy Hash: 14778026069da28af87b9950d589da7dca929d2a00fc8d83b3a738ce3464f0c4
Instruction Fuzzy Hash: 00E0C232A04211ABC321AB749D48D3B73ACAFD8751309493EF50AF6150D734AC21EBBA

Function 00403B19 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403B55
ShowWindow.USER32(?), ref: 00403B72
DestroyWindow.USER32 ref: 00403B86
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BA2
GetDlgItem.USER32(?,?), ref: 00403BC3
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403BD7
IsWindowEnabled.USER32(00000000), ref: 00403BDE
GetDlgItem.USER32(?,00000001), ref: 00403C8C
GetDlgItem.USER32(?,00000002), ref: 00403C96
SetClassLongA.USER32(?,000000F2,?), ref: 00403CB0
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D01
GetDlgItem.USER32(?,00000003), ref: 00403DA7
ShowWindow.USER32(00000000,?), ref: 00403DC8
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403DDA
EnableWindow.USER32(?,?), ref: 00403DF5
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E0B
EnableMenuItem.USER32(00000000), ref: 00403E12
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E2A
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E3D
lstrlenA.KERNEL32(Supersuspicion Setup: Installing,?,Supersuspicion Setup: Installing,00422F00), ref: 00403E66
SetWindowTextA.USER32(?,Supersuspicion Setup: Installing), ref: 00403E75
ShowWindow.USER32(?,0000000A), ref: 00403FA9

Strings

Supersuspicion Setup: Installing, xrefs: 00403E52, 00403E5C, 00403E65, 00403E73

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Supersuspicion Setup: Installing
API String ID: 3282139019-3553124451
Opcode ID: ee793e9f516e2da13c3aa51fc91f44a41e00c2883a64dc2cf2643230f3a9d64a
Instruction ID: 1f8690e76de68066656ca8d54ad2d010e53819933bf2384d883f7e4ba9537b83
Opcode Fuzzy Hash: ee793e9f516e2da13c3aa51fc91f44a41e00c2883a64dc2cf2643230f3a9d64a
Instruction Fuzzy Hash: 17C1C071A04205BBDB21AF21ED48D2B7EBCFB44706F40443EF601B11E1C7799942AB6E

Function 00403787 Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406061: GetModuleHandleA.KERNEL32(?,?,?,0040325C,00000009), ref: 00406073
Part of subcall function 00406061: LoadLibraryA.KERNELBASE(?,?,?,0040325C,00000009), ref: 0040607E
Part of subcall function 00406061: GetProcAddress.KERNEL32(00000000,?), ref: 0040608F

lstrcatA.KERNEL32(1033,Supersuspicion Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Supersuspicion Setup: Installing,00000000,00000002,C:\Users\user\AppData\Local\Temp\,75573410,"C:\Users\user\Desktop\ulACwpUCSU.exe",00000000), ref: 00403802
lstrlenA.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Temp\terephthalate\edderdun,1033,Supersuspicion Setup: Installing,80000001,Control Panel\Desktop\ResourceLocale,00000000,Supersuspicion Setup: Installing,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403877
lstrcmpiA.KERNEL32(?,.exe), ref: 0040388A
GetFileAttributesA.KERNEL32(Call), ref: 00403895
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Temp\terephthalate\edderdun), ref: 004038DE

Part of subcall function 00405C94: wsprintfA.USER32 ref: 00405CA1

RegisterClassA.USER32(00422EA0), ref: 0040391B
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00403933
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403968
ShowWindow.USER32(00000005,00000000), ref: 0040399E
LoadLibraryA.KERNELBASE(RichEd20), ref: 004039AF
LoadLibraryA.KERNEL32(RichEd32), ref: 004039BA
GetClassInfoA.USER32(00000000,RichEdit20A,00422EA0), ref: 004039CA
GetClassInfoA.USER32(00000000,RichEdit,00422EA0), ref: 004039D7
RegisterClassA.USER32(00422EA0), ref: 004039E0
DialogBoxParamA.USER32(?,00000000,00403B19,00000000), ref: 004039FF

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403793
RichEdit, xrefs: 004039D1
Control Panel\Desktop\ResourceLocale, xrefs: 004037BB
"C:\Users\user\Desktop\ulACwpUCSU.exe", xrefs: 0040378B
.exe, xrefs: 00403884
RichEd20, xrefs: 004039AA
RichEdit20A, xrefs: 004039C2, 004039C8
RichEd32, xrefs: 004039B5
Call, xrefs: 00403845, 0040384D, 0040385A, 004038A4, 004038AA
.DEFAULT\Control Panel\International, xrefs: 004037ED
1033, xrefs: 004037A7, 004037FD
C:\Users\user\AppData\Local\Temp\terephthalate\edderdun, xrefs: 00403811, 00403819, 004038B1, 004038B7, 004038C7
_Nb, xrefs: 004038FA, 00403962
Supersuspicion Setup: Installing, xrefs: 004037B3, 004037B9, 004037DE, 004037E7, 004037FC

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: ClassLoad$InfoLibrary$RegisterWindow$AddressAttributesCreateDialogFileHandleImageModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\ulACwpUCSU.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Local\Temp\terephthalate\edderdun$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$Supersuspicion Setup: Installing$_Nb
API String ID: 914957316-2157332175
Opcode ID: d69af52eae453a52e03acfe7140820e929eba722ac2574cb4842baacd9f3a248
Instruction ID: 361ceaa5e45529a70bb989737ed67fdedcb7c759bf8cf29c3cde223c60b7be46
Opcode Fuzzy Hash: d69af52eae453a52e03acfe7140820e929eba722ac2574cb4842baacd9f3a248
Instruction Fuzzy Hash: E661E6B16442007EE720AF659D45F273E6CEB8475AF40407FF941B22E2D67C9D02DA6E

Function 00402C79 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402C8D
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\ulACwpUCSU.exe,00000400), ref: 00402CA9

Part of subcall function 004059C7: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\ulACwpUCSU.exe,80000000,00000003), ref: 004059CB
Part of subcall function 004059C7: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059ED

GetFileSize.KERNEL32(00000000,00000000,0042B000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ulACwpUCSU.exe,C:\Users\user\Desktop\ulACwpUCSU.exe,80000000,00000003), ref: 00402CF2
GlobalAlloc.KERNELBASE(00000040,00409130), ref: 00402E39

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00402C86, 00402E51
Error launching installer, xrefs: 00402CC9
"C:\Users\user\Desktop\ulACwpUCSU.exe", xrefs: 00402C79
Null, xrefs: 00402D72
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00402E82
Inst, xrefs: 00402D60
C:\Users\user\Desktop, xrefs: 00402CD4, 00402CD9, 00402CDF
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402ED0
C:\Users\user\Desktop\ulACwpUCSU.exe, xrefs: 00402C93, 00402CA2, 00402CB6, 00402CD3
soft, xrefs: 00402D69

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\ulACwpUCSU.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\ulACwpUCSU.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 2803837635-233164334
Opcode ID: 91e4b9dee6fe50fd73dc962a53e9cdaf65c065133738040780962d54176249d0
Instruction ID: 2a27acbe37a486d3f9fadad6f2898e15cdcbef103c1943e89973ac3215dbffb0
Opcode Fuzzy Hash: 91e4b9dee6fe50fd73dc962a53e9cdaf65c065133738040780962d54176249d0
Instruction Fuzzy Hash: BC61C671A40205ABDF20AF64DE89B9A76B4EF00315F20413BF904B72D1D7BC9E418BAD

Function 0040173F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste,00000000,00000000,00000031), ref: 0040177E
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste,00000000,00000000,00000031), ref: 004017A8

Part of subcall function 00405D36: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405D43

Part of subcall function 0040501F: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
Part of subcall function 0040501F: lstrlenA.KERNEL32(00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
Part of subcall function 0040501F: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00402C51,00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,00000000,00000000), ref: 0040507B
Part of subcall function 0040501F: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll), ref: 0040508D
Part of subcall function 0040501F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
Part of subcall function 0040501F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
Part of subcall function 0040501F: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB

Strings

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste, xrefs: 0040176C
Call, xrefs: 0040175B, 00401764, 00401771, 00401783, 00401794, 004017CA, 004017E0, 004017FE, 0040183E, 004018BF, 004018C8, 004018D2, 004018DD
C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll, xrefs: 0040180C, 00401828
C:\Users\user\AppData\Local\Temp\nsk8D31.tmp, xrefs: 00401789, 004017F8, 00401816

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp$C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll$C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste$Call
API String ID: 1941528284-2332474559
Opcode ID: 3aa427727347f9e8141c62517debd6c6d5f1ffb41e66c3134885ff25fefb9c69
Instruction ID: 7da2985f373e49f587e0f88560f455237d5d3a700d2e38046b33ad83bb6d7614
Opcode Fuzzy Hash: 3aa427727347f9e8141c62517debd6c6d5f1ffb41e66c3134885ff25fefb9c69
Instruction Fuzzy Hash: 0341B871910515BACF10BFA5DC46DAF3679DF41369F20823BF511F10E1D63C8A419A6E

Function 0040501F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
lstrlenA.KERNEL32(00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00402C51,00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,00000000,00000000), ref: 0040507B
SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll), ref: 0040508D
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll, xrefs: 0040503F, 00405051, 00405057, 0040507A, 00405086

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll
API String ID: 2531174081-264110117
Opcode ID: ee1b08cb592492bdf5f80b5dae1b552c690ecdeff46defc75ce9aeeb2979dc18
Instruction ID: 2b33129011dff48d1edd85efe61027b37dbb0349f6b457de8e93b882053e083c
Opcode Fuzzy Hash: ee1b08cb592492bdf5f80b5dae1b552c690ecdeff46defc75ce9aeeb2979dc18
Instruction Fuzzy Hash: C2219071900508BBDB119FA5CD84ADFBFB9EF14354F14807AF544B6290C2794E45DFA8

Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExA.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 0040235A
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nsk8D31.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 0040237A
RegSetValueExA.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nsk8D31.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B3
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsk8D31.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Strings

C:\Users\user\AppData\Local\Temp\nsk8D31.tmp, xrefs: 0040236B, 00402379, 0040238D, 0040239D, 004023A8

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp
API String ID: 1356686001-2617030530
Opcode ID: 86a468557908f0d4cc1937d8ef59051a5efb18d14e0f25ee016bd79e191944f1
Instruction ID: 937c1904c824b73ffe337d2eacc138a1f8ac1658d2030852d1a46e58dbdf142b
Opcode Fuzzy Hash: 86a468557908f0d4cc1937d8ef59051a5efb18d14e0f25ee016bd79e191944f1
Instruction Fuzzy Hash: D71172B1E00118BFEB10EFA4DE89EAF7678FB50358F10413AF905B61D1D7B85D41A668

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040585F: CharNextA.USER32(?,?,Invaliditetsprocent209\indoktrineringen.rec,?,004058CB,Invaliditetsprocent209\indoktrineringen.rec,Invaliditetsprocent209\indoktrineringen.rec,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040586D
Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405872
Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405886

CreateDirectoryA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015DB
GetLastError.KERNEL32(?,00000000,0000005C,00000000,000000F0), ref: 004015E5
GetFileAttributesA.KERNELBASE(00000000,?,00000000,0000005C,00000000,000000F0), ref: 004015F3
SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste,00000000,00000000,000000F0), ref: 00401622

Strings

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste, xrefs: 00401617

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentErrorFileLast
String ID: C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste
API String ID: 3751793516-1026180038
Opcode ID: db51a681e4e1b110c4379ef5fee21ee97cfdebff7cd263ace0e336009ceda904
Instruction ID: decf54c0780f34986dcb1f6dc2400c6331eb5c21fa926316ee50895bb5337331
Opcode Fuzzy Hash: db51a681e4e1b110c4379ef5fee21ee97cfdebff7cd263ace0e336009ceda904
Instruction Fuzzy Hash: CE11E931908150ABDB217F755D4496F67B4EA62365728473FF891B22D2C23C4D42E62E

Function 004059F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405A0A
GetTempFileNameA.KERNELBASE(?,?,00000000,?), ref: 00405A24

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004059F9, 004059FD
"C:\Users\user\Desktop\ulACwpUCSU.exe", xrefs: 004059F6
nsa, xrefs: 00405A01

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\ulACwpUCSU.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2954004818
Opcode ID: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
Instruction ID: 2f7b9810ed7c5924072585cf2130ed1295747d9915b618abfa336aedeca5813d
Opcode Fuzzy Hash: 41eb4eacc2b5e04bba23a072be30983b5b4707d802c2e92527758f248babbe87
Instruction Fuzzy Hash: C1F0E2327482487BDB008F1ADC44B9B7B9CDF91710F00C03BF904AA280D2B0A8008B68

Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExA.KERNELBASE(?,?,00000000,?,?), ref: 00402A5E
RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402A9A
RegCloseKey.ADVAPI32(?), ref: 00402AA3
RegCloseKey.ADVAPI32(?), ref: 00402AC8
RegDeleteKeyA.ADVAPI32(?,?), ref: 00402AE6

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 921281f3cc01420fdc1beeb1eeb708213ab33a1a3c9c72e215a90ba7be82d26f
Instruction ID: 1cfc72d501241f28ff1c9237e437913a5e8660848d06dce24e2e83bd327c9a1b
Opcode Fuzzy Hash: 921281f3cc01420fdc1beeb1eeb708213ab33a1a3c9c72e215a90ba7be82d26f
Instruction Fuzzy Hash: EA114F71A00108FFDF219F90DE48EAA3B7DEB44349B104076FA05B11A0DBB49E559F69

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC4
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CC9
Part of subcall function 10001A5D: GlobalFree.KERNEL32(?), ref: 10001CCE

GlobalFree.KERNEL32(00000000), ref: 10001768
FreeLibrary.KERNEL32(?), ref: 100017DF
GlobalFree.KERNEL32(00000000), ref: 10001804

Part of subcall function 100021B0: GlobalAlloc.KERNEL32(00000040,7D8BEC45), ref: 100021E2

Part of subcall function 1000258D: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,10001739,00000000), ref: 100025FF

Part of subcall function 10001559: lstrcpyA.KERNEL32(00000000,10004010,00000000,10001695,00000000), ref: 10001572

Strings

, xrefs: 100017E5

Memory Dump Source

Source File: 00000000.00000002.3862991325.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3862977554.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3863004418.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3863017406.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ulACwpUCSU.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 5c34708dbc5c14fa42f4b7439be41c1509afaedaf37bf6653e8bb29f9fa28a01
Instruction ID: 946e86dc2be410c0748ecba0c1d48508df540d87c222276c6f0f58241c559a10
Opcode Fuzzy Hash: 5c34708dbc5c14fa42f4b7439be41c1509afaedaf37bf6653e8bb29f9fa28a01
Instruction Fuzzy Hash: C5318B79408205DAFB41DF649CC5BCA37ECFB042D5F018465FA0A9A09ADF78A8458A60

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C18
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C30

Strings

!, xrefs: 00401BEC

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
Instruction ID: c8505a4ed1fbcfe48898eca751f608fe424cacc25c72cee6cab93c7adb8e4515
Opcode Fuzzy Hash: 223d8f7865d2b1dd0e95bc8f55079009c40be9e2a37a1be7db68750e4265ac19
Instruction Fuzzy Hash: 742190B1A44208BFEF41AFB4CD4AAAE7BB5EF40344F14453EF541B61D1D6B89A40E728

Function 0040303A Relevance: 6.1, APIs: 4, Instructions: 108fileCOMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040304F

Part of subcall function 004031CC: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

SetFilePointer.KERNELBASE(00000000,00000000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000), ref: 00403082
WriteFile.KERNELBASE(0040A8A0,0040DF4B,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?), ref: 0040313C
SetFilePointer.KERNELBASE(000059BC,00000000,00000000,004128A0,00004000,?,00000000,?,00402F52,00000004,00000000,00000000,?,?,?,00402ECB), ref: 0040318E

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: File$Pointer$CountTickWrite
String ID:
API String ID: 2146148272-0
Opcode ID: 24d90e6fe24fc4b927ba7929ca5aee42abf3264703176f7c86ada2f370568673
Instruction ID: 01a25493adf58fb9a894681412e440a2e883d4234beea4965eba9eb13e735820
Opcode Fuzzy Hash: 24d90e6fe24fc4b927ba7929ca5aee42abf3264703176f7c86ada2f370568673
Instruction Fuzzy Hash: CC414F725052019FDB10BF29EE849663BFCFB4431A715863BE810BA2E4D7389D52CB5E

Function 00401F68 Relevance: 6.1, APIs: 4, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNELBASE(00000000,00000001,000000F0), ref: 00401F93

Part of subcall function 0040501F: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
Part of subcall function 0040501F: lstrlenA.KERNEL32(00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
Part of subcall function 0040501F: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00402C51,00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,00000000,00000000), ref: 0040507B
Part of subcall function 0040501F: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll), ref: 0040508D
Part of subcall function 0040501F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
Part of subcall function 0040501F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
Part of subcall function 0040501F: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB

LoadLibraryExA.KERNELBASE(00000000,?,00000008,00000001,000000F0), ref: 00401FA3
GetProcAddress.KERNEL32(00000000,?), ref: 00401FB3
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040201D

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID:
API String ID: 2987980305-0
Opcode ID: 8405f33e14f9c3f15d0e520106e072150188c144eaeb8d7ef96d34cccaac7bda
Instruction ID: 23a464ffe6ca8440643a385a127484fd4ee8ad6b227fb7efa4d26ad3fc5b3ac3
Opcode Fuzzy Hash: 8405f33e14f9c3f15d0e520106e072150188c144eaeb8d7ef96d34cccaac7bda
Instruction Fuzzy Hash: D7210872904211BACF107FA48E49A6E39B0AB44358F60823BF601B62D1D7BC4941AA6E

Function 004031E3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 20COMMON

Download Yara Rule

APIs

Part of subcall function 00405FA1: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ulACwpUCSU.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 00405FF9
Part of subcall function 00405FA1: CharNextA.USER32(?,?,?,00000000), ref: 00406006
Part of subcall function 00405FA1: CharNextA.USER32(?,"C:\Users\user\Desktop\ulACwpUCSU.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040600B
Part of subcall function 00405FA1: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040601B

CreateDirectoryA.KERNELBASE(C:\Users\user\AppData\Local\Temp\,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 00403204

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004031E4, 004031E9, 004031EF, 004031FB, 00403203, 0040320A
1033, xrefs: 0040320B

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Char$Next$CreateDirectoryPrev
String ID: 1033$C:\Users\user\AppData\Local\Temp\
API String ID: 4115351271-3144792594
Opcode ID: ee23c129dd8a5d49f4f649e38bc420fd14e59507522fd77197c34cef7b8656a6
Instruction ID: 89773af62672bbf6302d30782f314b1c1bc42d6855f09756152acd8bf908297a
Opcode Fuzzy Hash: ee23c129dd8a5d49f4f649e38bc420fd14e59507522fd77197c34cef7b8656a6
Instruction Fuzzy Hash: 24D0C71290AD3066D5513B6A7C46FCF050C8F4675DF11807BF904751C58F6C555395EF

Function 00406745 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa6151eb6114a7c7dde5596e7ed141339a6810161cd6e35f889c2edb9118ca88
Instruction ID: d3f30c549e8eaa155af2d8805db43d359078549a114e1d1e4cfdde4495a9482f
Opcode Fuzzy Hash: fa6151eb6114a7c7dde5596e7ed141339a6810161cd6e35f889c2edb9118ca88
Instruction Fuzzy Hash: 13A14471E00228CBDF28DFA8C8447ADBBB1FB45305F15816ED816BB281D7785A96DF44

Function 00406946 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e9dede487193b96133ea94438acbc75bab27e7ac1b94d370ef06066709f64446
Instruction ID: 66af66db22d428e7cee4185570621c0262e28a8f97ef0091af547b150b1cef7f
Opcode Fuzzy Hash: e9dede487193b96133ea94438acbc75bab27e7ac1b94d370ef06066709f64446
Instruction Fuzzy Hash: 7F912170E00228CBDF28DF98C8947ADBBB1FB45305F15816ED816BB281C7786A96DF44

Function 0040665C Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2d995426ddd841542114576c7cd3986778113386b5e0d0d2bb3b42046c5d03f
Instruction ID: 36158da5dd70985ab85e2c4d41886ca33cae813362c0b87a96f868d92fb05337
Opcode Fuzzy Hash: d2d995426ddd841542114576c7cd3986778113386b5e0d0d2bb3b42046c5d03f
Instruction Fuzzy Hash: 65815771D00228CFDF24CFA8C8847ADBBB1FB45305F25816AD816BB281D778A996DF15

Function 00406161 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68ae08bc292ff831ddf939399879833efa26d2e617e1386947dce183f6739e75
Instruction ID: 1715bfb1c3d5716620224504c503b3d15fe2aa0a2bbcc08a305e6ffc6cb4203b
Opcode Fuzzy Hash: 68ae08bc292ff831ddf939399879833efa26d2e617e1386947dce183f6739e75
Instruction Fuzzy Hash: 53817771D00228DBDF24CFA8C8447ADBBB0FB44301F2581AED856BB281D7786A96DF45

Function 004065AF Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2929f55d3e8b81ac1e584e7399a4f2facda7d772583105b5c0ec75abe6cb9a93
Instruction ID: 032b7c8430df6362c90b97cb5f8c3133674bcd2d0f853081a3cdcc23126a0f5c
Opcode Fuzzy Hash: 2929f55d3e8b81ac1e584e7399a4f2facda7d772583105b5c0ec75abe6cb9a93
Instruction Fuzzy Hash: 87711371D00228CFDF24CF98C8847ADBBB1FB48305F15806AD816BB281D7785996DF45

Function 004066CD Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 948a468c2091db2feb9fa4c22586628b65dd678cc983fa395508304452d62250
Instruction ID: 3e9dbefe820a1d4baf734be7fb741bb2fb66d8e6f9ed59188b506b6c9edb630d
Opcode Fuzzy Hash: 948a468c2091db2feb9fa4c22586628b65dd678cc983fa395508304452d62250
Instruction Fuzzy Hash: AB711371E00228CBDF28CF98C884BADBBB1FB44305F15816ED816BB281D7786996DF45

Function 00406619 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d63a3d575cf43ccaec2b316c623d79440d1cb8ee82c5371297a3fda91248972
Instruction ID: 1812ff5f5430a706778d8acc512246fd3c212bc7acfdfbe5d0fa3af8c8d1a12f
Opcode Fuzzy Hash: 2d63a3d575cf43ccaec2b316c623d79440d1cb8ee82c5371297a3fda91248972
Instruction Fuzzy Hash: AD712471E00228CBDF28DF98C844BADBBB1FB44305F15806ED856BB291C7786A96DF45

Function 00402F1F Relevance: 4.6, APIs: 3, Instructions: 95fileCOMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00409130,00000000,00000000,00000000,00000000,?,?,?,00402ECB,000000FF,00000000,00000000,00409130,?), ref: 00402F45
WriteFile.KERNELBASE(00000000,004128A0,?,000000FF,00000000,004128A0,00004000,00409130,00409130,00000004,00000004,00000000,00000000,?,?), ref: 00402FD2

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: File$PointerWrite
String ID:
API String ID: 539440098-0
Opcode ID: 41928112f34441f9b3539e2a42aa88ab340ce8e3764aaba8d566e6229e32b04b
Instruction ID: 3b6e370e410e3f669d4a968ba26e16673121f6254c39c59cd6eb20204b18cf3c
Opcode Fuzzy Hash: 41928112f34441f9b3539e2a42aa88ab340ce8e3764aaba8d566e6229e32b04b
Instruction Fuzzy Hash: 14313931502259FFDF20DF55DD44A9E3BA8EF04395F20403AF908A61D0D2789A41EBA9

Function 0040218A Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040603A: FindFirstFileA.KERNELBASE(?,00421548,Invaliditetsprocent209\indoktrineringen.rec,004058F7,Invaliditetsprocent209\indoktrineringen.rec,Invaliditetsprocent209\indoktrineringen.rec,00000000,Invaliditetsprocent209\indoktrineringen.rec,Invaliditetsprocent209\indoktrineringen.rec,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0), ref: 00406045
Part of subcall function 0040603A: FindClose.KERNEL32(00000000), ref: 00406051

lstrlenA.KERNEL32 ref: 004021CA
lstrlenA.KERNEL32(00000000), ref: 004021D4
SHFileOperationA.SHELL32(?,?,?,00000000), ref: 004021FC

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: bca2972add9fd882f8e407e235b9fbbb20ab122dffcfd5b9ae2cbf6afbd38a77
Instruction ID: 8bd3c95f8033a3e017dea1ba9a61a5da7054b4883ba983d73c0c7a27e6e6bfe8
Opcode Fuzzy Hash: bca2972add9fd882f8e407e235b9fbbb20ab122dffcfd5b9ae2cbf6afbd38a77
Instruction Fuzzy Hash: 70115671E04319AADB00FFB5894999EB7F8EF10344F10853BA505FB2D2D6BCC9019B69

Function 0040243A Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402468
RegEnumValueA.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 0040247B
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsk8D31.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: caf030312989360912e564f455c27575c802c45ca4fe6e6e3a31a613e64801eb
Instruction ID: 09a8887cd5e4729410dcfabe5c46d2a670465c21522258ca6cdcbf1033b2090e
Opcode Fuzzy Hash: caf030312989360912e564f455c27575c802c45ca4fe6e6e3a31a613e64801eb
Instruction Fuzzy Hash: E8F08671904204FFD7119F659D8CEBF7A6CEB40748F10453EF441B62C0D6B95E41966A

Function 00401DD8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

ShellExecuteA.SHELL32(?,00000000,00000000,00000000,C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste,?), ref: 00401E1E

Strings

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste, xrefs: 00401E09

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: ExecuteShell
String ID: C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste
API String ID: 587946157-1026180038
Opcode ID: 40434b390c6071fab714dcb5d25e8e1443f7045445f963bbe9c0ee784e309111
Instruction ID: 92cbb6ba42742382510c3a8e41a68a30635fa0dc9ae6a59fa4a75f74f7b170a3
Opcode Fuzzy Hash: 40434b390c6071fab714dcb5d25e8e1443f7045445f963bbe9c0ee784e309111
Instruction Fuzzy Hash: 8DF0F6B3B041047ACB41ABB59E4AE5D2BA4EB41718F240A3BF400F71C2DAFC8841F728

Function 100027EC Relevance: 3.2, APIs: 2, Instructions: 156COMMON

Download Yara Rule

APIs

EnumWindows.USER32(00000000), ref: 100028AB
GetLastError.KERNEL32 ref: 100029B2

Memory Dump Source

Source File: 00000000.00000002.3862991325.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3862977554.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3863004418.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3863017406.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ulACwpUCSU.jbxd

Similarity

API ID: EnumErrorLastWindows
String ID:
API String ID: 14984897-0
Opcode ID: 10da2a693ced731503c2d5b3de2f7fe8e431c949d2a6016fe146597bbe82a282
Instruction ID: 2b4501ff186f60f2b29b8b71d76009b37135a14f8b8ad132536a4a21bb517402
Opcode Fuzzy Hash: 10da2a693ced731503c2d5b3de2f7fe8e431c949d2a6016fe146597bbe82a282
Instruction Fuzzy Hash: 9E51A4BA908214DFFB14DF60DCC5B5937A8EB443D4F218429EA08E725DDF38A981CB94

Function 004023C8 Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F

RegQueryValueExA.KERNELBASE(00000000,00000000,?,?,?,?), ref: 004023F8
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nsk8D31.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402490

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 7eb33a159c5e2e36f52cd260ea1f941ce228b1fcd6854e0b7c510fd00de33ed5
Instruction ID: 6e7bf8a8071b86039a0630bdde8d6c62460c4efec4bb82e40fe4d514ce07d4c8
Opcode Fuzzy Hash: 7eb33a159c5e2e36f52cd260ea1f941ce228b1fcd6854e0b7c510fd00de33ed5
Instruction Fuzzy Hash: 6711C171905205EFDB11DF60CA889BEBBB4EF00344F20843FE441B62C0D2B84A41EB6A

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction ID: da56ad7cfcb2a9fecb994a09e4a0bd113f750103611445cd7b28aada07ee45e3
Opcode Fuzzy Hash: a519dadb84f5fbb5742ded63e05e15cde03a873041ee9604df24846d4002906c
Instruction Fuzzy Hash: 2E012831B24210ABE7294B389D04B6A369CE710328F11823BF811F72F1D6B8DC42DB4D

Function 004022C0 Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402B07: RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 004022DF
RegCloseKey.ADVAPI32(00000000), ref: 004022E8

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 9fe761724c1276d574af105ef08c00a5703bee9f5c9ace5d1d1e19f8a1f69dfd
Instruction ID: 2c42072c31bcbbe471fcd7c214f11599c8a5ac898b8b604777345a29c8a948e9
Opcode Fuzzy Hash: 9fe761724c1276d574af105ef08c00a5703bee9f5c9ace5d1d1e19f8a1f69dfd
Instruction Fuzzy Hash: 65F04F72A04111ABDB51ABB49A8EAAE6268AB40318F14453BF501B61C1DAFC5E01A66E

Function 0040155B Relevance: 3.0, APIs: 2, Instructions: 28COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00010494), ref: 00401579
ShowWindow.USER32(0001048E), ref: 0040158E

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: ShowWindow
String ID:
API String ID: 1268545403-0
Opcode ID: c64c6d1f079b89554086766a5c5b018e70a08e7419b7e9e5f4a1fba6667fe9af
Instruction ID: 8a385b190166ef4faee7ea7f7faf61a79327429c222f4cee9526e2a72d22cdd5
Opcode Fuzzy Hash: c64c6d1f079b89554086766a5c5b018e70a08e7419b7e9e5f4a1fba6667fe9af
Instruction Fuzzy Hash: 9FF0E577B08250BFC725CF64ED8086E77F5EB5531075444BFD102A3292C2B89D04DB18

Function 00401DAC Relevance: 3.0, APIs: 2, Instructions: 21COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000,00000001), ref: 00401DC2
EnableWindow.USER32(00000000,00000000), ref: 00401DCD

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 3f66373841930f62a7e084ead73e64351eb2d9defc74f476aa24081e3a98abe9
Instruction ID: 18ac702c75a7039fec00373c4f699ed09bc4c8ec852dd7b5b9a0ef8cb6e9c66a
Opcode Fuzzy Hash: 3f66373841930f62a7e084ead73e64351eb2d9defc74f476aa24081e3a98abe9
Instruction Fuzzy Hash: 39E0CD72B04110EBCB10BBB45D4A55E3374DF10359B10443BF501F11C1D2B85C40565D

Function 004059C7 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\ulACwpUCSU.exe,80000000,00000003), ref: 004059CB
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059ED

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
Instruction ID: 21e5f81f3e52fa2c8f9e5bc24a994218dd140026ef3a1e453d479de883aad6ce
Opcode Fuzzy Hash: b262a0f40d66ad03986e5cb00ab33bb84fd1bf9937e58ea257525f7228853690
Instruction Fuzzy Hash: 94D09E31668301AFEF098F20DD16F2E7BA2EB84B00F10562CB682D40E0D6755815DB16

Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,004055BA,?,?,00000000,0040579D,?,?,?,?), ref: 004059A7
SetFileAttributesA.KERNEL32(?,00000000), ref: 004059BB

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
Instruction ID: a98ca5448702c3e829ea1667e49b0be7f6aa4c87fef4348ac0342a167d80fd98
Opcode Fuzzy Hash: 9001e84463e5b3d4dd00ca1d2e00f3bb66c1d6c16300b22364f3152d7eb201de
Instruction Fuzzy Hash: 19D0C9B2918120EBC2102728AD0889BBF69EB542717018B31F865A22B0C7304C52DAA9

Function 0040223B Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402274

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 9ff6483e56f83e050050973c75d29e7e6846100e3a8c6593062fb544488b0e4d
Instruction ID: 05d4d75dbd01593bae97f630dbecede8c42f44da552b6d0f9ca4defc7305ba5b
Opcode Fuzzy Hash: 9ff6483e56f83e050050973c75d29e7e6846100e3a8c6593062fb544488b0e4d
Instruction Fuzzy Hash: 2FE04F72B001696ADB903AF18F8DD7F21597B84304F15067EF611B62C2D9BC0D81A2B9

Function 00402B07 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,00000022,00000000,?,?), ref: 00402B2F

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: ebfeba3ed9c8d95cb46d76ca19a6c1a04daa5e79448631d0a062a8db0bedbb5d
Instruction ID: 087740a894708ae54e311fe38564fcb001a0ed9e3d0f4d4a62d19f1d4de25a1d
Opcode Fuzzy Hash: ebfeba3ed9c8d95cb46d76ca19a6c1a04daa5e79448631d0a062a8db0bedbb5d
Instruction Fuzzy Hash: 38E046B6250108AADB40EFA4EE4AF9537ECFB04700F008021BA08E7091CA78E5509B69

Function 00405A3F Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00409130,00000000,00000000,00000000,00000000,004128A0,0040A8A0,004031C9,00409130,00409130,004030BB,004128A0,00004000,?,00000000,?), ref: 00405A53

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
Instruction ID: 55609983f428609d3339a900fe5ea2c3161a13bcf9e808ef2cae39733250456b
Opcode Fuzzy Hash: 36ce21e0183dc59356ed1b7b138b7ffe2bb5c4fd6ccae5392a8977301763c5ee
Instruction Fuzzy Hash: F7E08C3231025AABDF109EA09C40AEB3B6CEB00760F084432FA14E2040D230E9218FA5

Function 1000270F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000404C,00000004,00000040,1000403C), ref: 1000272D

Memory Dump Source

Source File: 00000000.00000002.3862991325.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3862977554.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3863004418.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3863017406.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ulACwpUCSU.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction ID: 4dab7c069dd6fc30f8915db09394f7f991a1b088a201bba37056324bf7fcc065
Opcode Fuzzy Hash: 18430b4f65034898945c85cbd496d0600587ffef3804861361c874148a7acf75
Instruction Fuzzy Hash: 98F09BF19092A0DEF360DF688CC47063FE4E3993D5B03852AE358F6269EB7441448B19

Function 0040227F Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringA.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 004022B2

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: f8d132d461a5c4ed5c76335474cd8e98aaa4b1821b9353edac55918b86fd9ae5
Instruction ID: 1024819f7f1d2ea578916dba6ac29c28ac22902c13986e1de9ff5d702d2d6265
Opcode Fuzzy Hash: f8d132d461a5c4ed5c76335474cd8e98aaa4b1821b9353edac55918b86fd9ae5
Instruction Fuzzy Hash: B9E08671A44209BADB406FA08E09EBD3668BF01710F10013AF9507B0D1EBB88442F72D

Function 00404038 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00010488,00000000,00000000,00000000), ref: 0040404A

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction ID: af7fd4c3fc1dda8ad1a195a9021ea177fcc43fc0d0bb539f8953ea950d20d41d
Opcode Fuzzy Hash: 875450fc840247aea6e73403ee44149e02d5474b467ece0a28835bfda1230da9
Instruction Fuzzy Hash: DFC09B717443007BEA31DB509D49F077758A750B00F5584357320F50D0C6B4F451D62D

Function 00404021 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403E52), ref: 0040402F

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction ID: 7b5ccc39adf6f72de5191684d4495c6b43ffe58f78915606d69c4a7e6f44d702
Opcode Fuzzy Hash: 3bdb3c033a7d800f3f5983e71921b41162ac414239058931643885a1338ef954
Instruction Fuzzy Hash: F3B092B5684200BAEE224B40DD09F457EA2E7A4702F008024B300240B0C6B200A1DB19

Function 004031CC Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402EA4,?), ref: 004031DA

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction ID: 49fdcfdf8b1973cd13611e97ba0bfafd8618b6cb304eeeee9131019f9f046fb0
Opcode Fuzzy Hash: 0070af3e33726fe8c9f5218e9eb5d27e4edbe1e9193197dd8736a9b9f47decae
Instruction Fuzzy Hash: 03B01271644200BFDA214F00DF05F057B21A790700F10C030B748380F082712420EB4D

Function 0040400E Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403DEB), ref: 00404018

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: caaff2729d3fe7bae5ae998927534049a5cfce9e2193b3926e4c56a419af128c
Instruction ID: f87940b9544c4de7e657a104dd6f20edac94ef916c9b89b279468f5034d51d6a
Opcode Fuzzy Hash: caaff2729d3fe7bae5ae998927534049a5cfce9e2193b3926e4c56a419af128c
Instruction Fuzzy Hash: E2A01231404001DBCB014B10DF04C45FF21B7503007018030E50140034C6310420FF09

Function 004014D6 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E5

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 36591f86aa2c1f2adefcdb7238d8e5e1d903d288247f27f70a02a30479273739
Instruction ID: 4daead48d26ae6742cc4751adb680189456718570d67c7320b978f12710e1ab5
Opcode Fuzzy Hash: 36591f86aa2c1f2adefcdb7238d8e5e1d903d288247f27f70a02a30479273739
Instruction Fuzzy Hash: DFD0C7B7B141006BD750E7B86E8545A73E8F75135A7148837D502E1191D17DC9415519

Non-executed Functions

Function 0040499C Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 004049B4
GetDlgItem.USER32(?,00000408), ref: 004049BF
GlobalAlloc.KERNEL32(00000040,?), ref: 00404A09
LoadBitmapA.USER32(0000006E), ref: 00404A1C
SetWindowLongA.USER32(?,000000FC,00404F93), ref: 00404A35
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404A49
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404A5B
SendMessageA.USER32(?,00001109,00000002), ref: 00404A71
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404A7D
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404A8F
DeleteObject.GDI32(00000000), ref: 00404A92
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404ABD
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404AC9
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B5E
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404B89
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404B9D
GetWindowLongA.USER32(?,000000F0), ref: 00404BCC
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404BDA
ShowWindow.USER32(?,00000005), ref: 00404BEB
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404CE8
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404D4D
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404D62
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404D86
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404DA6
ImageList_Destroy.COMCTL32(00000000), ref: 00404DBB
GlobalFree.KERNEL32(00000000), ref: 00404DCB
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404E44
SendMessageA.USER32(?,00001102,?,?), ref: 00404EED
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404EFC
InvalidateRect.USER32(?,00000000,00000001), ref: 00404F1C
ShowWindow.USER32(?,00000000), ref: 00404F6A
GetDlgItem.USER32(?,000003FE), ref: 00404F75
ShowWindow.USER32(00000000), ref: 00404F7C

Strings

M, xrefs: 00404B45
, xrefs: 00404F54
N, xrefs: 00404C26

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 48884298102dd397bd7c84c821747a4fdce173a69a1f3747addc236cef338d07
Instruction ID: ec1b41ef9246f4b5ca9c31e675ea93c5522bc938a585a88f05d0904c7564d9ec
Opcode Fuzzy Hash: 48884298102dd397bd7c84c821747a4fdce173a69a1f3747addc236cef338d07
Instruction Fuzzy Hash: 7A025FB0900209AFEB10DF94DC85AAE7BB5FB84315F10817AFA10B62E1D7789D42DF58

Function 0040442A Relevance: 24.8, APIs: 10, Strings: 4, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404479
SetWindowTextA.USER32(00000000,?), ref: 004044A3
SHBrowseForFolderA.SHELL32(?,0041F0D0,?), ref: 00404554
CoTaskMemFree.OLE32(00000000), ref: 0040455F
lstrcmpiA.KERNEL32(Call,Supersuspicion Setup: Installing), ref: 00404591
lstrcatA.KERNEL32(?,Call), ref: 0040459D
SetDlgItemTextA.USER32(?,000003FB,?), ref: 004045AF

Part of subcall function 0040552E: GetDlgItemTextA.USER32(?,?,00000400,004045E6), ref: 00405541

Part of subcall function 00405FA1: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ulACwpUCSU.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 00405FF9
Part of subcall function 00405FA1: CharNextA.USER32(?,?,?,00000000), ref: 00406006
Part of subcall function 00405FA1: CharNextA.USER32(?,"C:\Users\user\Desktop\ulACwpUCSU.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040600B
Part of subcall function 00405FA1: CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040601B

GetDiskFreeSpaceA.KERNEL32(0041ECC8,?,?,0000040F,?,0041ECC8,0041ECC8,?,00000000,0041ECC8,?,?,000003FB,?), ref: 0040466C
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404687

Part of subcall function 004047E0: lstrlenA.KERNEL32(Supersuspicion Setup: Installing,Supersuspicion Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046FB,000000DF,00000000,00000400,?), ref: 0040487E
Part of subcall function 004047E0: wsprintfA.USER32 ref: 00404886
Part of subcall function 004047E0: SetDlgItemTextA.USER32(?,Supersuspicion Setup: Installing), ref: 00404899

Strings

Call, xrefs: 0040458B, 00404590, 0040459B
A, xrefs: 0040454D
C:\Users\user\AppData\Local\Temp\terephthalate\edderdun, xrefs: 0040457A
Supersuspicion Setup: Installing, xrefs: 00404527, 0040458A

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Local\Temp\terephthalate\edderdun$Call$Supersuspicion Setup: Installing
API String ID: 2624150263-2132795571
Opcode ID: 460c116a5067c679cb5b5ce948a3056466bcf158c5435e38ad8be33a97865feb
Instruction ID: 5a451af96f6c61f8b8aedc9e732e962e3b59a2a539d705b9404eba0a1a8e20eb
Opcode Fuzzy Hash: 460c116a5067c679cb5b5ce948a3056466bcf158c5435e38ad8be33a97865feb
Instruction Fuzzy Hash: A6A162B1900208ABDB11AFA6CD45AEFB7B9EF85314F10843BF611B72D1D77C89418B69

Function 00402645 Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 00402654

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 21f2deb84e4fe94a37f3c530ba23b3725dbfe4e9087708a3ee461911f2001047
Instruction ID: 2b7524724565807a685c72c68d6b6eabb337ae57375c882a310f3ed35d4a28aa
Opcode Fuzzy Hash: 21f2deb84e4fe94a37f3c530ba23b3725dbfe4e9087708a3ee461911f2001047
Instruction Fuzzy Hash: D4F0EC72504110EBD700EBB4994DAEE77B8DF51314F60457BE141F21C1D3B84945E72E

Function 00404135 Relevance: 40.5, APIs: 20, Strings: 3, Instructions: 205windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 004041C0
GetDlgItem.USER32(00000000,000003E8), ref: 004041D4
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 004041F2
GetSysColor.USER32(?), ref: 00404203
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404212
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404221
lstrlenA.KERNEL32(?), ref: 00404224
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 00404233
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 00404248
GetDlgItem.USER32(?,0000040A), ref: 004042AA
SendMessageA.USER32(00000000), ref: 004042AD
GetDlgItem.USER32(?,000003E8), ref: 004042D8
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 00404318
LoadCursorA.USER32(00000000,00007F02), ref: 00404327
SetCursor.USER32(00000000), ref: 00404330
ShellExecuteA.SHELL32(0000070B,open,004226A0,00000000,00000000,00000001), ref: 00404343
LoadCursorA.USER32(00000000,00007F00), ref: 00404350
SetCursor.USER32(00000000), ref: 00404353
SendMessageA.USER32(00000111,00000001,00000000), ref: 0040437F
SendMessageA.USER32(00000010,00000000,00000000), ref: 00404393

Strings

Call, xrefs: 00404303
N, xrefs: 004042C6
open, xrefs: 0040433B

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: Call$N$open
API String ID: 3615053054-2563687911
Opcode ID: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
Instruction ID: 47d1c741c4840d0b501b4796cf3fe0e3440e9ec9cd7b0debe1a5eac4f9bfffd7
Opcode Fuzzy Hash: aa854a75b9a8ef41e2656ff54a1ab69c816baf86c41e2f577b142ace3155aca6
Instruction Fuzzy Hash: 8F61A0B1A40309BFEB109F61DD45F6A7B69FB84704F108026FB04BB2D1C7B8A951CB99

Function 00405A6E Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136stringmemoryfileCOMMON

Download Yara Rule

APIs

lstrcpyA.KERNEL32(00421A88,NUL,?,00000000,?,00000000,?,00405C12,?,?,00000001,004057B5,?,00000000,000000F1,?), ref: 00405A7E
CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,00000000,?,00405C12,?,?,00000001,004057B5,?,00000000,000000F1,?), ref: 00405AA2
GetShortPathNameA.KERNEL32(00000000,00421A88,00000400), ref: 00405AAB

Part of subcall function 0040592C: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040593C
Part of subcall function 0040592C: lstrlenA.KERNEL32(00405B5B,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040596E

GetShortPathNameA.KERNEL32(?,00421E88,00000400), ref: 00405AC8
wsprintfA.USER32 ref: 00405AE6
GetFileSize.KERNEL32(00000000,00000000,00421E88,C0000000,00000004,00421E88,?,?,?,?,?), ref: 00405B21
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405B30
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405B68
SetFilePointer.KERNEL32(?,00000000,00000000,00000000,00000000,00421688,00000000,-0000000A,004093A0,00000000,[Rename],00000000,00000000,00000000), ref: 00405BBE
WriteFile.KERNEL32(?,00000000,00000000,?,00000000), ref: 00405BD0
GlobalFree.KERNEL32(00000000), ref: 00405BD7
CloseHandle.KERNEL32(00000000), ref: 00405BDE

Part of subcall function 004059C7: GetFileAttributesA.KERNELBASE(00000003,00402CBC,C:\Users\user\Desktop\ulACwpUCSU.exe,80000000,00000003), ref: 004059CB
Part of subcall function 004059C7: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 004059ED

Strings

[Rename], xrefs: 00405B50, 00405B62
NUL, xrefs: 00405A78
%s=%s, xrefs: 00405ADC

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizeWritewsprintf
String ID: %s=%s$NUL$[Rename]
API String ID: 1265525490-4148678300
Opcode ID: 042e64ae17e7c47ef1d56a04f1dfe6ef41ae4142583f66b70c6923dd5e444e24
Instruction ID: 2d1e09aab0418ff75005a817fdb93eb8b9645243d234663ae25a64343302d3c0
Opcode Fuzzy Hash: 042e64ae17e7c47ef1d56a04f1dfe6ef41ae4142583f66b70c6923dd5e444e24
Instruction Fuzzy Hash: BE41DEB1604A15BFD6206B219C49F6B3A6CDF45718F14053BBE01FA2D2EA7CB8018E7D

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,00422F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
Instruction ID: ce5436bc7dfccdabf5b2378cdbc04c65b8fc1f8d51739f20964cb8902a5fcb59
Opcode Fuzzy Hash: c2d680870d7abd1e1a74e136b5aebc8f23ebe5596e06de1d1944de18111d68fb
Instruction Fuzzy Hash: F2419A72804249AFCF058F94CD459AFBFB9FF44310F00812AF961AA1A0C738EA50DFA5

Function 00405FA1 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\ulACwpUCSU.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 00405FF9
CharNextA.USER32(?,?,?,00000000), ref: 00406006
CharNextA.USER32(?,"C:\Users\user\Desktop\ulACwpUCSU.exe",C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040600B
CharPrevA.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,00000000,004031EF,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 0040601B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405FA2, 00405FA7
*?|<>/":, xrefs: 00405FE9
"C:\Users\user\Desktop\ulACwpUCSU.exe", xrefs: 00405FDD

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\ulACwpUCSU.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-1296138832
Opcode ID: cac177dc58e6cdce4745106bcf32f060ca56d97be21c35c0cc42ba282efa81fa
Instruction ID: 96a923a8ee4f60b6f191beee89bac6a1f57d38d5d4ddb578b75945660f6dc773
Opcode Fuzzy Hash: cac177dc58e6cdce4745106bcf32f060ca56d97be21c35c0cc42ba282efa81fa
Instruction Fuzzy Hash: 57110451908B9229FB325A284C40B777F99CF5A760F18047FE5C1722C2C67C5C529B6E

Function 00404053 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 00404070
GetSysColor.USER32(00000000), ref: 0040408C
SetTextColor.GDI32(?,00000000), ref: 00404098
SetBkMode.GDI32(?,?), ref: 004040A4
GetSysColor.USER32(?), ref: 004040B7
SetBkColor.GDI32(?,?), ref: 004040C7
DeleteObject.GDI32(?), ref: 004040E1
CreateBrushIndirect.GDI32(?), ref: 004040EB

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction ID: 47825c477eeffae7bcc1b4b45db8633c52535f80fcd06c8b97140eed864a5805
Opcode Fuzzy Hash: 059a6408e4ff7a7a286042baf0ba0b6777dcdd2840b1e709c5bb58eb991f2f1d
Instruction Fuzzy Hash: 0621A4B18047049BCB309F68DD08B4BBBF8AF40714F048639EA95F26E1C738E944CB65

Function 100021FA Relevance: 10.6, APIs: 7, Instructions: 139memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 1000234A

Part of subcall function 10001224: lstrcpynA.KERNEL32(00000000,?,100012CF,-1000404B,100011AB,-000000A0), ref: 10001234

GlobalAlloc.KERNEL32(00000040,?), ref: 100022C3
MultiByteToWideChar.KERNEL32(00000000,00000000,?,?,00000000,?), ref: 100022D8
GlobalAlloc.KERNEL32(00000040,00000010), ref: 100022E7
CLSIDFromString.OLE32(00000000,00000000), ref: 100022F4
GlobalFree.KERNEL32(00000000), ref: 100022FB

Memory Dump Source

Source File: 00000000.00000002.3862991325.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3862977554.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3863004418.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3863017406.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ulACwpUCSU.jbxd

Similarity

API ID: Global$AllocFree$ByteCharFromMultiStringWidelstrcpyn
String ID:
API String ID: 3730416702-0
Opcode ID: 5812f53bea9c9c9f79666072e50bc0f3831b96dbb387c6cf78516ccbd9521935
Instruction ID: fe65b043c70383bd2b49c92c90746d4950a0c6047a38c1932a2dc3020861886a
Opcode Fuzzy Hash: 5812f53bea9c9c9f79666072e50bc0f3831b96dbb387c6cf78516ccbd9521935
Instruction Fuzzy Hash: F6418BB1108711EFF720DFA48884B5BB7F8FF443D1F218929F946D61A9DB34AA448B61

Function 100023DA Relevance: 10.6, APIs: 7, Instructions: 111COMMON

Download Yara Rule

APIs

Part of subcall function 10001215: GlobalAlloc.KERNEL32(00000040,10001233,?,100012CF,-1000404B,100011AB,-000000A0), ref: 1000121D

GlobalFree.KERNEL32(?), ref: 100024B9
GlobalFree.KERNEL32(00000000), ref: 100024F3

Memory Dump Source

Source File: 00000000.00000002.3862991325.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3862977554.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3863004418.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3863017406.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ulACwpUCSU.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 28705be4039c1f606362c20ff13fdce37c258c5b4734a68cc6567389004174f8
Instruction ID: 82133e1bc6da927614d5bcfc3b496831b4cb396c3e6da136b8b2dca3161aa200
Opcode Fuzzy Hash: 28705be4039c1f606362c20ff13fdce37c258c5b4734a68cc6567389004174f8
Instruction Fuzzy Hash: 75319CB1504251EFF722CF94CCC4C6B7BBDEB852D4B128569FA4193228DB31AC54DB62

Function 00402683 Relevance: 10.6, APIs: 7, Instructions: 89memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 004026D7
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,000000F0), ref: 004026F3
GlobalFree.KERNEL32(?), ref: 0040272C
WriteFile.KERNEL32(FFFFFD66,00000000,?,FFFFFD66,?,?,?,?,000000F0), ref: 0040273E
GlobalFree.KERNEL32(00000000), ref: 00402745
CloseHandle.KERNEL32(FFFFFD66,?,?,000000F0), ref: 0040275D
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,000000F0), ref: 00402771

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Global$AllocFileFree$CloseDeleteHandleWrite
String ID:
API String ID: 3294113728-0
Opcode ID: 0f129fd7f7df80537c5f9e1eb6f54556ad660c5267986f7df7bd7c5007d73d3e
Instruction ID: 552098977e22cffcc29eaacdabede243c0f20e1b5d71923adfcfca28e3e686eb
Opcode Fuzzy Hash: 0f129fd7f7df80537c5f9e1eb6f54556ad660c5267986f7df7bd7c5007d73d3e
Instruction Fuzzy Hash: 63318DB1C00118BFCF216FA5CD89DAE7E79EF09364F10423AF520762E1C6795D419BA9

Function 00402BDA Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000), ref: 00402BF2
GetTickCount.KERNEL32 ref: 00402C10
wsprintfA.USER32 ref: 00402C3E

Part of subcall function 0040501F: lstrlenA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000,?), ref: 00405058
Part of subcall function 0040501F: lstrlenA.KERNEL32(00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,00402C51,00000000), ref: 00405068
Part of subcall function 0040501F: lstrcatA.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00402C51,00402C51,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,00000000,00000000), ref: 0040507B
Part of subcall function 0040501F: SetWindowTextA.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll), ref: 0040508D
Part of subcall function 0040501F: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 004050B3
Part of subcall function 0040501F: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 004050CD
Part of subcall function 0040501F: SendMessageA.USER32(?,00001013,?,00000000), ref: 004050DB

CreateDialogParamA.USER32(0000006F,00000000,00402B42,00000000), ref: 00402C62
ShowWindow.USER32(00000000,00000005), ref: 00402C70

Part of subcall function 00402BBE: MulDiv.KERNEL32(00000000,00000064,00000B8A), ref: 00402BD3

Strings

... %d%%, xrefs: 00402C38

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: a5c26afaddfd3aecbd3c11435c5afe696aa269bce338e105ebc0525db4289807
Instruction ID: 53b2eec8c243fd5a5b591a6d8e7090b5e500d3da6e0592f5c5af2241ed808ea0
Opcode Fuzzy Hash: a5c26afaddfd3aecbd3c11435c5afe696aa269bce338e105ebc0525db4289807
Instruction Fuzzy Hash: AB0188B0949614ABDB216F64AE4DE9F7B7CFB017057148037FA01B11E1C6B8D541CBAE

Function 004048EA Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 00404905
GetMessagePos.USER32 ref: 0040490D
ScreenToClient.USER32(?,?), ref: 00404927
SendMessageA.USER32(?,00001111,00000000,?), ref: 00404939
SendMessageA.USER32(?,0000110C,00000000,?), ref: 0040495F

Strings

f, xrefs: 0040493B

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction ID: 7baaa9b85802c8a5173365c44ed2834cc31749f5d024e9fb4d2ec5e64c2f69ce
Opcode Fuzzy Hash: 0143edfa65d7345696b674457d3757b6620fab040ae94d4e1f917914a8284de5
Instruction Fuzzy Hash: E40140B1D00218BADB01DBA4DC85FFFBBBCAB95721F10412BBA10B61D0C7B469018BA5

Function 00401D26 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D29
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D36
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D45
ReleaseDC.USER32(?,00000000), ref: 00401D56
CreateFontIndirectA.GDI32(0040A7D0), ref: 00401DA1

Strings

Times New Roman, xrefs: 00401D87

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Times New Roman
API String ID: 3808545654-927190056
Opcode ID: d8f1134e0d9cc842e71cdb0a798ee728ace2ac96abc312f9551e68033e09961b
Instruction ID: b452d76144ce78c1ea2c31cbd89393ff29a213aa8dcca448cc35c7c7cb6754f7
Opcode Fuzzy Hash: d8f1134e0d9cc842e71cdb0a798ee728ace2ac96abc312f9551e68033e09961b
Instruction Fuzzy Hash: F8011271948340AFE701DBB0AE0EB9A7F74EB19705F108535F141B72E2C6B954159B2F

Function 00402B42 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402B5D
wsprintfA.USER32 ref: 00402B91
SetWindowTextA.USER32(?,?), ref: 00402BA1
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402BB3

Strings

verifying installer: %d%%, xrefs: 00402B86, 00402B8F
unpacking data: %d%%, xrefs: 00402B7F

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: bccffcf18056edd42c20cb723d80919439a72dcdb3cc8cc3de12e394d3f134cc
Instruction ID: 4b4d840d1cf11f9656568dd8641bec75cd76f4f3bd4f461a87d93eb2d0bf3f96
Opcode Fuzzy Hash: bccffcf18056edd42c20cb723d80919439a72dcdb3cc8cc3de12e394d3f134cc
Instruction Fuzzy Hash: F7F01D70900208BBEF215F61DD4ABEE3779EB00345F00803AFA06B51D0D7F8AA558B9A

Function 004047E0 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Supersuspicion Setup: Installing,Supersuspicion Setup: Installing,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004046FB,000000DF,00000000,00000400,?), ref: 0040487E
wsprintfA.USER32 ref: 00404886
SetDlgItemTextA.USER32(?,Supersuspicion Setup: Installing), ref: 00404899

Strings

%u.%u%s%s, xrefs: 00404868
Supersuspicion Setup: Installing, xrefs: 00404870, 00404875, 0040487B, 0040488F

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Supersuspicion Setup: Installing
API String ID: 3540041739-662044061
Opcode ID: 01753190a1a61c127577f13d1343217740e1c978151e7be2dc7a3714e54fef7e
Instruction ID: 8631c14a921e8479d2aaee063571767324bc63c1cfe9171b6f21c1c007081b9c
Opcode Fuzzy Hash: 01753190a1a61c127577f13d1343217740e1c978151e7be2dc7a3714e54fef7e
Instruction Fuzzy Hash: 90112433A441283BDB0065AD9C49EAF328CDF81334F244637FA25F61D1E9788C1292E8

Function 1000180D Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001869
GlobalFree.KERNEL32(?), ref: 100019EF
GlobalFree.KERNEL32(?), ref: 100019F4

Memory Dump Source

Source File: 00000000.00000002.3862991325.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3862977554.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3863004418.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3863017406.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ulACwpUCSU.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 0c473814e0966ac58776859a9061c1e440c53011a0554eaa903a9fb75293bb16
Instruction ID: 97b6efd1b10b48d7ee9b7c7fbc92de58723c24235f199e6d6d25645bb0e8c5d4
Opcode Fuzzy Hash: 0c473814e0966ac58776859a9061c1e440c53011a0554eaa903a9fb75293bb16
Instruction Fuzzy Hash: DC512532D04159AEFB55DFB488A4AEEBBF6EF453C0F12416AE841B315DCA306E4087D2

Function 00401CCC Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401CD0
GetClientRect.USER32(00000000,?), ref: 00401CDD
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401CFE
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D0C
DeleteObject.GDI32(00000000), ref: 00401D1B

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 729fc4278e862243959d7ad856f7c73244b6852cfe4ffc3fdd7b269795ac9902
Instruction ID: 68903ef9478fc0d920f95a79cd5396482650d24808bb52901199de5d2149753e
Opcode Fuzzy Hash: 729fc4278e862243959d7ad856f7c73244b6852cfe4ffc3fdd7b269795ac9902
Instruction Fuzzy Hash: 06F062B2A05114BFD701DBA4EE88CAF77BCEB44301B008576F501F2091C7389D019B79

Function 00403A4C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 71COMMON

Download Yara Rule

APIs

SetWindowTextA.USER32(00000000,00422F00), ref: 00403AE4

Strings

"C:\Users\user\Desktop\ulACwpUCSU.exe", xrefs: 00403A4D
1033, xrefs: 00403A50, 00403A5A, 00403ACB
Supersuspicion Setup: Installing, xrefs: 00403A4F

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: TextWindow
String ID: "C:\Users\user\Desktop\ulACwpUCSU.exe"$1033$Supersuspicion Setup: Installing
API String ID: 530164218-174121954
Opcode ID: 19cfd19e0caeefaef38e1447d84035fc52b25a49d1c0675f2d636fa1eca01dcb
Instruction ID: 694a286dd4981efc18ef326c294584d4bec2a1602357d8abc11fec8a6f834ca0
Opcode Fuzzy Hash: 19cfd19e0caeefaef38e1447d84035fc52b25a49d1c0675f2d636fa1eca01dcb
Instruction Fuzzy Hash: EC11D4B1B046109BCB24DF15DC809337BBDEB8471A329813BE941A73A1C73D9E029A98

Function 004057C6 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00403201,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 004057CC
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,00403201,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75573410,004033C9), ref: 004057D5
lstrcatA.KERNEL32(?,00409014), ref: 004057E6

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004057C6

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4083868402
Opcode ID: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction ID: c144259923a6e848a034fe90771ae4f3275bad2fdba58d127270a3e6eafdfb33
Opcode Fuzzy Hash: 890135f98a5a9138db31eb4b1572133a55ea61a04d2c03425938916b0e2dddc9
Instruction Fuzzy Hash: 00D0A962606A306BD20222168C09E8F6A08CF06300B044033F204B62B2C63C0D418FFE

Function 00401EDC Relevance: 6.1, APIs: 4, Instructions: 54memoryCOMMON

Download Yara Rule

APIs

GetFileVersionInfoSizeA.VERSION(00000000,?,000000EE), ref: 00401EEB
GlobalAlloc.KERNEL32(00000040,00000000,00000000,?,000000EE), ref: 00401F09
GetFileVersionInfoA.VERSION(?,?,?,00000000), ref: 00401F22
VerQueryValueA.VERSION(?,00409014,?,?,?,?,?,00000000), ref: 00401F3B

Part of subcall function 00405C94: wsprintfA.USER32 ref: 00405CA1

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: FileInfoVersion$AllocGlobalQuerySizeValuewsprintf
String ID:
API String ID: 1404258612-0
Opcode ID: ec7151e13ff031cd6146c14c1100c40685b360c9b493fb258c96d19e35a9089b
Instruction ID: 9791f4c70c1528f8983e13c97e2cb0ced061aec02aec85b9ff59acd402aedfa8
Opcode Fuzzy Hash: ec7151e13ff031cd6146c14c1100c40685b360c9b493fb258c96d19e35a9089b
Instruction Fuzzy Hash: A0117071901209BEDF01EFA5DD85DAEBBB9EF04344B20807AF505F61A1D7388E55DB28

Function 0040585F Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,?,Invaliditetsprocent209\indoktrineringen.rec,?,004058CB,Invaliditetsprocent209\indoktrineringen.rec,Invaliditetsprocent209\indoktrineringen.rec,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040586D
CharNextA.USER32(00000000), ref: 00405872
CharNextA.USER32(00000000), ref: 00405886

Strings

Invaliditetsprocent209\indoktrineringen.rec, xrefs: 00405860

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: CharNext
String ID: Invaliditetsprocent209\indoktrineringen.rec
API String ID: 3213498283-2173611331
Opcode ID: 2ea991d7d7ffd85479a521eab3fc1e567f9f9a9fdda000af801139d1d19966a1
Instruction ID: 725a23b4e930c3b6c27a7d0cd0e333612dd42f6c53d199a680129a9385ae8045
Opcode Fuzzy Hash: 2ea991d7d7ffd85479a521eab3fc1e567f9f9a9fdda000af801139d1d19966a1
Instruction Fuzzy Hash: 74F06253914F516AFB3276645C44B7B5A8CCF56361F188477EE40A62C2C2BC4C618F9A

Function 00404F93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00404FC2
CallWindowProcA.USER32(?,?,?,?), ref: 00405013

Part of subcall function 00404038: SendMessageA.USER32(00010488,00000000,00000000,00000000), ref: 0040404A

Strings

, xrefs: 00404FA3

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: a1366604d20516d7a227b416e124a8c8ccbf6a8c92e3cea699473ae65b9a4b61
Instruction ID: 01da3f5901ddaf9404fa7d81b8fd4ad62d8e53e58d7af57a61279808ed2d7cb1
Opcode Fuzzy Hash: a1366604d20516d7a227b416e124a8c8ccbf6a8c92e3cea699473ae65b9a4b61
Instruction Fuzzy Hash: EA018F7110020DABDF209F11DC85E9F3B6AF784758F208037FA04752D1D77A8C92AAAE

Function 004058B4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405D36: lstrcpynA.KERNEL32(?,?,00000400,00403287,00422F00,NSIS Error), ref: 00405D43

Part of subcall function 0040585F: CharNextA.USER32(?,?,Invaliditetsprocent209\indoktrineringen.rec,?,004058CB,Invaliditetsprocent209\indoktrineringen.rec,Invaliditetsprocent209\indoktrineringen.rec,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 0040586D
Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405872
Part of subcall function 0040585F: CharNextA.USER32(00000000), ref: 00405886

lstrlenA.KERNEL32(Invaliditetsprocent209\indoktrineringen.rec,00000000,Invaliditetsprocent209\indoktrineringen.rec,Invaliditetsprocent209\indoktrineringen.rec,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0,00000000), ref: 00405907
GetFileAttributesA.KERNEL32(Invaliditetsprocent209\indoktrineringen.rec,Invaliditetsprocent209\indoktrineringen.rec,Invaliditetsprocent209\indoktrineringen.rec,Invaliditetsprocent209\indoktrineringen.rec,Invaliditetsprocent209\indoktrineringen.rec,Invaliditetsprocent209\indoktrineringen.rec,00000000,Invaliditetsprocent209\indoktrineringen.rec,Invaliditetsprocent209\indoktrineringen.rec,?,?,75572EE0,00405616,?,C:\Users\user\AppData\Local\Temp\,75572EE0), ref: 00405917

Strings

Invaliditetsprocent209\indoktrineringen.rec, xrefs: 004058BA, 004058BF, 004058C5, 00405900, 00405906, 0040590E, 00405916

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: Invaliditetsprocent209\indoktrineringen.rec
API String ID: 3248276644-2173611331
Opcode ID: 681a1499075d1ef18d3e94b36260b5cb5e6403957cf75bde6daaeed28ee23a5f
Instruction ID: cee4b60d78671bb78a10d3fddc0396ac835ea714c96625339261d657e7680c9f
Opcode Fuzzy Hash: 681a1499075d1ef18d3e94b36260b5cb5e6403957cf75bde6daaeed28ee23a5f
Instruction Fuzzy Hash: 0AF02823105D6026C63233391C09AAF1B95CE86368B24853FFC51B22D1DB3C8863DE7E

Function 004024D1 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34filestringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000011), ref: 004024EF
WriteFile.KERNEL32(00000000,?,C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll,00000000,?,?,00000000,00000011), ref: 0040250E

Strings

C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll, xrefs: 004024DD, 00402502

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: FileWritelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll
API String ID: 427699356-3616788362
Opcode ID: f7e9c7c3a0b030329b9eac82e2999ac8e5cd3652365a72a00433b5ad3c482558
Instruction ID: 4826b5ec7f58a8945af1d05ae4e09a11cd1e532a13e769836b40841c5f4177c7
Opcode Fuzzy Hash: f7e9c7c3a0b030329b9eac82e2999ac8e5cd3652365a72a00433b5ad3c482558
Instruction Fuzzy Hash: 80F054B2A54244BFDB40ABA19E499EB66A4DB40309F10443FB141F61C2D5BC4941A66A

Function 004054E5 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00421500,Error launching installer), ref: 0040550E
CloseHandle.KERNEL32(?), ref: 0040551B

Strings

Error launching installer, xrefs: 004054F8

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a807c8c1498f9a3ccd34e9273e49e04dcb617f56f5cccdb726230c0895ca6d7f
Instruction ID: 0ae392a05d3974bec86de51aa2f8a5c28ff0ee3cdd976454f3eed0d5dd72dd2a
Opcode Fuzzy Hash: a807c8c1498f9a3ccd34e9273e49e04dcb617f56f5cccdb726230c0895ca6d7f
Instruction Fuzzy Hash: 2BE0BFB4A00209BFEB109FA4ED05F7B76ADEB14745F508561BD11F2160E774A9108A79

Function 004036F2 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75572EE0,004036C9,75573410,004034D6,?), ref: 0040370C
GlobalFree.KERNEL32(006AEAB8), ref: 00403713

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403704

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4083868402
Opcode ID: 86ea4e8f2e330b4051334ac2fa91e3adcb647da4565bec0431381526e270e322
Instruction ID: 0fe4964e98027e88380181352afc78dea88c0f551701ba437740c6db36bc47f5
Opcode Fuzzy Hash: 86ea4e8f2e330b4051334ac2fa91e3adcb647da4565bec0431381526e270e322
Instruction Fuzzy Hash: 0EE0EC7390512097C6215F96AD04B5ABB686B89B62F06842AED407B3A18B746C418BD9

Function 0040580D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ulACwpUCSU.exe,C:\Users\user\Desktop\ulACwpUCSU.exe,80000000,00000003), ref: 00405813
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402CE5,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\ulACwpUCSU.exe,C:\Users\user\Desktop\ulACwpUCSU.exe,80000000,00000003), ref: 00405821

Strings

C:\Users\user\Desktop, xrefs: 0040580D

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1876063424
Opcode ID: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction ID: ba052d51ab232c33a65bcd29671eceb75c11827358d6bb1c4ef4a0a5cf44e1aa
Opcode Fuzzy Hash: c27a981e79bb352b20b7a8c74a9367836393bd04b8b6ccbc39cacac652a51138
Instruction Fuzzy Hash: 94D0A77341AD701EE30372109C04B8F6A48CF16300F098462E440B61A0C2780C414BED

Function 100010E0 Relevance: 5.1, APIs: 4, Instructions: 102memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000115B
GlobalFree.KERNEL32(00000000), ref: 100011B4
GlobalFree.KERNEL32(?), ref: 100011C7
GlobalFree.KERNEL32(?), ref: 100011F5

Memory Dump Source

Source File: 00000000.00000002.3862991325.0000000010001000.00000020.00000001.01000000.00000004.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.3862977554.0000000010000000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3863004418.0000000010003000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3863017406.0000000010005000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_ulACwpUCSU.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction ID: 5d3a3765e571093bf703368c32e31ec5bfeafbef09712c331e02e9e13643e521
Opcode Fuzzy Hash: 6ef9e3687ab983c99c874163fdcc0ee6cc2800f994ca68b8431a209e6fec97f5
Instruction Fuzzy Hash: 6531ABB1808255AFF715CFA8DC89AEA7FE8EB052C1B164115FA45D726CDB34D910CB24

Function 0040592C Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040593C
lstrcmpiA.KERNEL32(00405B5B,00000000), ref: 00405954
CharNextA.USER32(00405B5B,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 00405965
lstrlenA.KERNEL32(00405B5B,?,00000000,00405B5B,00000000,[Rename],00000000,00000000,00000000), ref: 0040596E

Memory Dump Source

Source File: 00000000.00000002.3856267641.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3856253781.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856287384.0000000000407000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000409000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000421000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000424000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000429000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856301910.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3856378151.0000000000438000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_ulACwpUCSU.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
Instruction ID: 6acf3bc3cda9f3bfd2525b0ac34aa546eab038af588102683640af0afc927a81
Opcode Fuzzy Hash: 0add82ed76356020c4ee8264c56a6ad6875436601f5ed096891bbb40787d2247
Instruction Fuzzy Hash: 27F0C232604518FFC7129BA4DD40D9FBBA8EF06360B2500AAE800F7250D274EE019FAA

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report ulACwpUCSU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Lumbagoen.lnk

C:\Users\user\AppData\Local\Temp\Settings.ini

C:\Users\user\AppData\Local\Temp\nsd89B4.tmp

C:\Users\user\AppData\Local\Temp\nsk8D31.tmp\System.dll

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Humus\Blevins126.for

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Humus\Hakam.hrd

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Humus\Reallnsnedgangen241.sta

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Humus\Sonoran5.Fin

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Humus\Trykkestederne.dre

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Humus\Udlse77.smk

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste\seksturenes.sem

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\Saereste\stonefolk.mor

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\noninstitutionally.ski

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\Limejuice\pulpwood.int

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\aerosolens.red

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\andantinoen.str

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\complainant.pri

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\divisioner.par

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\hyperalgebra.txt

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\jaqueline.bow

C:\Users\user\AppData\Local\Temp\terephthalate\edderdun\Stillse\macroconidium.fan

Static File Info

Windows Analysis Report
ulACwpUCSU.exe

Function 00403217 Relevance: 79.1, APIs: 27, Strings: 18, Instructions: 337
stringfilecomCOMMON

Function 0040515D Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00405D58 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 199
stringCOMMON

Function 004055F6 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159
filestringCOMMON

Function 00403B19 Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 345
windowstringCOMMON

Function 00403787 Relevance: 51.0, APIs: 15, Strings: 14, Instructions: 216
stringregistrylibraryCOMMON

Function 00402C79 Relevance: 26.5, APIs: 5, Strings: 10, Instructions: 203
memoryCOMMON

Function 0040173F Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 0040501F Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 0040231C Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 004015B3 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58
COMMON

Function 004059F6 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 00402A3D Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Function 100016BD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Function 00401BB8 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76
windowtimeCOMMON