Edit tour

Windows Analysis Report
PO.exe

Overview

General Information

Sample name:	PO.exe
Analysis ID:	1558395
MD5:	53441f2de2d573f3b2e4fb35c248229b
SHA1:	afc840f25adfcb5873f5b69e55b2920c370a2285
SHA256:	5bc4b28288f068f1c11e69b1cc94aacb4b0d2812494c1673471b890f1ce67a9e
Infos:

Detection

GuLoader

Score:	84
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Sample execution stops while process was sleeping (likely an evasion)

Tries to connect to HTTP servers, but all servers are down (expired dropper behavior)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

PO.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\PO.exe" MD5: 53441F2DE2D573F3B2E4FB35C248229B)

PO.exe (PID: 7828 cmdline: "C:\Users\user\Desktop\PO.exe" MD5: 53441F2DE2D573F3B2E4FB35C248229B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000003.00000002.2653471033.0000000002153000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000000.00000002.1853737660.0000000005213000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Code function: 0_2_004034A2 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034A2

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_6FED1B5F

0_2_6FED1B5F

Source: PO.exe

Static PE information: invalid certificate

Source: PO.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal84.troj.evad.winEXE@3/11@0/1

Source: C:\Users\user\Desktop\PO.exe

0_2_004034A2

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Program Files (x86)\Common Files\kvindagtigt.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\kretekniske.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Temp\nsb4357.tmp

Jump to behavior

Source: PO.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\PO.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: PO.exe

ReversingLabs: Detection: 83%

Source: C:\Users\user\Desktop\PO.exe

File read: C:\Users\user\Desktop\PO.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\PO.exe "C:\Users\user\Desktop\PO.exe"
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\Desktop\PO.exe "C:\Users\user\Desktop\PO.exe"
Source: C:\Users\user\Desktop\PO.exe	Process created: C:\Users\user\Desktop\PO.exe "C:\Users\user\Desktop\PO.exe"	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Section loaded: srvcli.dll	Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

File written: C:\Program Files (x86)\Common Files\kvindagtigt.ini

Jump to behavior

Source: PO.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: PO.exe, 00000003.00000001.1851856220.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: mshtml.pdbUGP source: PO.exe, 00000003.00000001.1851856220.0000000000649000.00000020.00000001.01000000.00000008.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000003.00000002.2653471033.0000000002153000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.1853737660.0000000005213000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_6FED1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FED1B5F

Source: C:\Users\user\Desktop\PO.exe

File created: C:\Users\user\AppData\Local\Temp\nsz4B76.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\PO.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\PO.exe	API/Special instruction interceptor: Address: 5222FD0
Source: C:\Users\user\Desktop\PO.exe	API/Special instruction interceptor: Address: 2162FD0

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\PO.exe	RDTSC instruction interceptor: First address: 51F96E2 second address: 51F96E2 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F12B0BADA56h 0x00000008 cmp ah, ch 0x0000000a inc ebp 0x0000000b inc ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\PO.exe	RDTSC instruction interceptor: First address: 21396E2 second address: 21396E2 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007F12B0B90C96h 0x00000008 cmp ah, ch 0x0000000a inc ebp 0x0000000b inc ebx 0x0000000c rdtsc

Source: C:\Users\user\Desktop\PO.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsz4B76.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\PO.exe TID: 7832

Thread sleep time: -170000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_0040674C FindFirstFileW,FindClose,		0_2_0040674C
Source: C:\Users\user\Desktop\PO.exe	Code function: 0_2_00405B00 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00405B00

Source: PO.exe, 00000003.00000002.2657641573.0000000004C92000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000003.00000002.2657641573.0000000004C5C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW,

Source: C:\Users\user\Desktop\PO.exe	API call chain: ExitProcess graph end node			graph_0-2286
Source: C:\Users\user\Desktop\PO.exe	API call chain: ExitProcess graph end node			graph_0-2499

Source: C:\Users\user\Desktop\PO.exe

Code function: 0_2_6FED1B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_6FED1B5F

Source: C:\Users\user\Desktop\PO.exe

Process created: C:\Users\user\Desktop\PO.exe "C:\Users\user\Desktop\PO.exe"

Jump to behavior

Source: C:\Users\user\Desktop\PO.exe

0_2_004034A2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	12 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
PO.exe	83%	ReversingLabs	Win32.Trojan.GuLoader
PO.exe	100%	Avira	HEUR/AGEN.1333748

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsz4B76.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://173.249.193.48/VdpAwrpsFeHTHv196.bin8	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.bint	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.bin4	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.binj	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.bin~	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.binf-9bc86c8e8c94k	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.bin)	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.bin_8	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.bing	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.bin	100%	Avira URL Cloud	malware
http://173.249.193.48/VdpAwrpsFeHTHv196.bin$	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.binH	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.binP	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.binN	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.bink	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.binl	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://173.249.193.48/VdpAwrpsFeHTHv196.bin8	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	PO.exe, 00000003.00000001.1851856220.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	false		high
http://173.249.193.48/VdpAwrpsFeHTHv196.bin	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000003.00000002.2677713944.0000000034160000.00000004.00001000.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://173.249.193.48/VdpAwrpsFeHTHv196.bin4	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://173.249.193.48/VdpAwrpsFeHTHv196.bint	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://173.249.193.48/VdpAwrpsFeHTHv196.binf-9bc86c8e8c94k	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://173.249.193.48/VdpAwrpsFeHTHv196.bin~	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	PO.exe, 00000003.00000001.1851856220.0000000000649000.00000020.00000001.01000000.00000008.sdmp	false		high
http://173.249.193.48/VdpAwrpsFeHTHv196.bin)	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://173.249.193.48/VdpAwrpsFeHTHv196.bin_8	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	PO.exe, 00000003.00000001.1851856220.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	false		high
http://173.249.193.48/VdpAwrpsFeHTHv196.binj	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://173.249.193.48/VdpAwrpsFeHTHv196.bing	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ftp.ftp://ftp.gopher.	PO.exe, 00000003.00000001.1851856220.0000000000649000.00000020.00000001.01000000.00000008.sdmp	false		high
http://173.249.193.48/VdpAwrpsFeHTHv196.binH	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	PO.exe	false		high
http://173.249.193.48/VdpAwrpsFeHTHv196.bin$	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://173.249.193.48/VdpAwrpsFeHTHv196.binP	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://173.249.193.48/VdpAwrpsFeHTHv196.binp	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://173.249.193.48/VdpAwrpsFeHTHv196.binN	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://173.249.193.48/VdpAwrpsFeHTHv196.bink	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://173.249.193.48/VdpAwrpsFeHTHv196.binl	PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
173.249.193.48	unknown	United States		11878	TZULOUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1558395
Start date and time:	2024-11-19 12:55:17 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 46s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	PO.exe
Detection:	MAL
Classification:	mal84.troj.evad.winEXE@3/11@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): otelrules.azureedge.net, slscr.update.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: PO.exe

Simulations

Behavior and APIs

Time	Type	Description
06:57:06	API Interceptor	17x Sleep call for process: PO.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
173.249.193.48	stormskridtets.exe	Get hash	malicious	FormBook, GuLoader	Browse	173.249.193.48/dlDSZQaZvoFz216.bin

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TZULOUS	Magnetnaalene.exe	Get hash	malicious	FormBook, GuLoader	Browse	173.249.193.108
	stormskridtets.exe	Get hash	malicious	FormBook, GuLoader	Browse	173.249.193.48
	Brneforsorgspdagogers.exe	Get hash	malicious	FormBook, GuLoader	Browse	173.249.193.66
	Brneforsorgspdagogers.exe	Get hash	malicious	FormBook, GuLoader	Browse	173.249.193.66
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	173.249.236.72
	byte.arm5.elf	Get hash	malicious	Okiru	Browse	173.249.236.51

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsz4B76.tmp\System.dll	stormskridtets.exe	Get hash	malicious	FormBook, GuLoader	Browse
	orders_PI 008-01.exe	Get hash	malicious	Remcos, GuLoader	Browse
	RemotePCViewer.exe	Get hash	malicious	Unknown	Browse
	8737738_19082024.vbs	Get hash	malicious	FormBook, GuLoader	Browse
	8737738_19082024.vbs	Get hash	malicious	GuLoader	Browse
	Dhl Delivery(AWB 9849791014).exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Program Files (x86)\Common Files\kvindagtigt.ini

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.0121618346445365
Encrypted:	false
SSDEEP:	3:BPi4YDgAmcAKDHMnhv:BPiBkAmc0nhv
MD5:	F298228D2D42CED0A00B0C5320000835
SHA1:	FB06F02DDCDA4C9EC752A688EE617064DB3A49EB
SHA-256:	E399AFE89F97EAE7BCDAE626913DA1618F4F42BA11887217CDBF524720532AB2
SHA-512:	464DA89F9E1D5935810443B20C3D19F77585D964DF89F5CB427482A03C8EF6274D06CBC01533D92C691FFD55E1725BA5F427D023A45A5128BCED0EEE11E083FE
Malicious:	false
Reputation:	low
Preview:	[skaaltalerens]..nonsaleability=sammenstuvningerne..

C:\Users\user\AppData\Local\Temp\nsz4B76.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.737556724687435
Encrypted:	false
SSDEEP:	192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
MD5:	6E55A6E7C3FDBD244042EB15CB1EC739
SHA1:	070EA80E2192ABC42F358D47B276990B5FA285A9
SHA-256:	ACF90AB6F4EDC687E94AAF604D05E16E6CFB5E35873783B50C66F307A35C6506
SHA-512:	2D504B74DA38EDC967E3859733A2A9CACD885DB82F0CA69BFB66872E882707314C54238344D45945DC98BAE85772ACEEF71A741787922D640627D3C8AE8F1C35
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: stormskridtets.exe, Detection: malicious, Browse Filename: orders_PI 008-01.exe, Detection: malicious, Browse Filename: RemotePCViewer.exe, Detection: malicious, Browse Filename: 8737738_19082024.vbs, Detection: malicious, Browse Filename: 8737738_19082024.vbs, Detection: malicious, Browse Filename: Dhl Delivery(AWB 9849791014).exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...X..`...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms\leakers.txt

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	589
Entropy (8bit):	4.277818373535095
Encrypted:	false
SSDEEP:	12:mScXAtJsdW8lLQIVVCTP1t0laiam6mObo/Bpqwnh2yKbdB1j1f:mSrTsdRTVVM9Yz69Hwh2yKb7ff
MD5:	E80E34F461528DF8F86C4248C971B2AD
SHA1:	A1A74D8F5711DEED35AF2B81BE070CA471C39500
SHA-256:	F2552D843F4D62F481743A15B7C95AA322C14EA5DBB999C8C889A42CBB093A8E
SHA-512:	46A5D6487131677DAC16C2BE4FC29517C14CB8DB6228B40344D733597462122EF0D1D7DD69B4D5A7A10F9C86635F99D91E91AC2CEBDF923C6B72EF3809637622
Malicious:	false
Reputation:	low
Preview:	pervalvar udvalgsarbejderne illegitime besully.trvarefabrikkers stemmeslugers binomialfordelingernes metropolit.mariolatrous griffy fiskeeksporten valutapuklerne spekulanter infusioners quantifys unconsolidation digitalises forvaltningsret..steticismens advents syde rebaptization returneredes chemosterilants agtvrdige,balklines sludres drengestregers topful koordinatvrdien angorakats tendensromanens blockheadish lidelsesfller eskapismes amiably phenicious nontenurial..overspringe udmntede agnostiker polycarpic stolper lbskes forhandlingsomraader acquires duskly kildnes gaultherase..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms\persongalleriers.una

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	data
Category:	dropped
Size (bytes):	276701
Entropy (8bit):	1.2570216910370695
Encrypted:	false
SSDEEP:	768:yFPJSwGwS4JXi8PNDQNMDeMW3SGBqGHw1zwpmPMoaO64g1abi4IZxeMcdN9vfd95:/rFf4EoTti54LkFvI3oDW
MD5:	18C3DA2AA022FF0B89999E28E6A2AE9A
SHA1:	0659DDE0FD4B39B22825F1645A0BAE7E7202C7F9
SHA-256:	05DE1FF63CC38C7C4B3034091A311791BFF578658FF17D156AA4FB41A2E197C6
SHA-512:	D3A51D8B29FEF026F94B339087413319E03DA3193D9159A43AD7B4FEE35A67EEEBC3E66A0092B5ED14F57458173D518C618F2EE00F4203F428EBE0FC162F667C
Malicious:	false
Reputation:	low
Preview:	......................................................(.L.................................3........&.................."...........l........................s.....................................-...........................8..........@.........................................................h..................................@.........).........................I.................F..................................................................T..............................................................j..".......#I.............r.............&..................\|...............................................................................:.Z......................).............................................................................H.......C...........................................................................................t.........................................................M.............4........'........................................}..+.......................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms\porkiest.mis

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	data
Category:	dropped
Size (bytes):	313672
Entropy (8bit):	1.2567166720965932
Encrypted:	false
SSDEEP:	768:iEGLlMkjkYtwS3MeXM3OpckON5VIbjnI3Oif4NxZSqJbDvz+hE7IkHAYsaW3DQLF:LtWLdp3I3yrt+3SoTMU5oT5
MD5:	17B0342D31B6E728E13DF79009833371
SHA1:	B9F3354C4E886382D220D5EC4FA91F389585BD40
SHA-256:	8CAF84CE635BD92186709E81D12AE352E049C83B53F1C22A6DCB221E8F1C011E
SHA-512:	4772F5AE64E0619B23114A41785DDE7DD1A9BACE12A9ABEDEF3400EDB3660D4E780C9B91E23A9FDEC1D97BCF7DC48E201771D7D58EB1740191A05CCFDB433C83
Malicious:	false
Preview:	....................N............................k....................................................#.................................................................................`........0.............u...................................y................................................................g.........7................E.......&........w..............................................*....................<..................................3................i.......................................................................U...).................................................. ........................................................................................................................A..............................N......c.b.......................................................................................................N........T..............................................h..............................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Mutuary.civ

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	data
Category:	dropped
Size (bytes):	207881
Entropy (8bit):	7.331635651026833
Encrypted:	false
SSDEEP:	3072:zDyy/gxfmTCBeuVaCzUVI90J8g5sF6963goPdEWduKiKMLUW3tTS4NrQsgT99BwE:zDyR4WDsCgVImsE77KMLUS44NMx
MD5:	749F30B7C897431F55057BFE15DF7228
SHA1:	2DB933559839DD5F79454546C98CCE8E9C4C8112
SHA-256:	1506167C68DEBF892BD0E2EAD9515C1F3F80BCCA9C489E715F2436425B7D8D48
SHA-512:	8E6BC090DFE67D411EA2B386538BAF9ADE1C7A47031CD4BFA0E7D491CFEF814923E71BA1DF8A2CB0A41AFADAE896F77BD89170BB560112E2A2B7BAA8DCD60C9D
Malicious:	false
Preview:	............ ..............EEEEE...............n..............C....F.......mm...........D..............ttt...--........``..:::....S....rrrr............P.O..6....".GG...............#.0.....................E..............22...~~.......aa............,..................................&..gg........77..LLLLLL.......ii.......0..o.ff..}.x... .99.....RR...............~~~~~.....................J......................kkk........E..........C...ee.........................G............J.............YY..~...2.............l........##.........Z.........(...........h.y........000.......yy...........l..lll...........................88...@@@@@.QQ..........^^...........mm...................CCC........KKKK.........2...............++..........V......-................B.........w................ ..............!!!....MM......66................===....................NNN..........S....??.........k........D.................................(............................. .........////....x.ccc.ZZ.w..====......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\Cresotinate.Oml

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	data
Category:	dropped
Size (bytes):	16857
Entropy (8bit):	4.532822901243277
Encrypted:	false
SSDEEP:	384:+ipfHtyeVOvFfo92BAVO4tKq/vChYFVmuF1WbTeqFb7RfW:dlyttfo9iAVO4tiGmPZW
MD5:	143CC97C03735690BA675F029A4A3A16
SHA1:	7BBA23E28EDB92B05620AA4EA667D3C04DE93593
SHA-256:	EDCF653A613FF7FB1143DF97441A7027D486CA942A333F3EA0B74C7C11F3D88B
SHA-512:	01C2C26B31488E036F6C6634636B33A0C06672FF464549D12B653326FA1A90460FAF485C59D8F0B85C6CCF57946AC4D09A70B5A5D3609E93AD3DCDE421CF16A7
Malicious:	false
Preview:	.........UU..33........Z..nnnnnn....w.[..............EE................T.......................k..8e...r...n...e...l.N.3...2..M:...:.+.C...r..de...a...t...e...F.h.i...l...e...A...(...m... ...r...4... ...,... ...i... .&&0..cx...8...0...0...0...0...0...0...0...,..w ...i..w ...0...,... ...p... ...0...,... ...i... ...4...,... ...i... ..?0...x...8...0...,... .%%i... ...0...)...i.......r...8.......k...e...r...n...e...l._.3.~.2...:...:...S.**e...t..aF...i...l...e...P...o...i...n...t...e...r...(...i... ...r...8...,... ..vi... ...2...3...0...1...2... ...,... ...i... ./.0...,...i... ...0...)...i.......r...4.......k...e...r...n...e...l...3...2.s.:...:...V...i...r...t...u...a...l...A...l...l...o..Nc...(...i..y ...0...,...i... ...5...4..B0...6...7...2..N0...0...,... .ddi..G ...0...x...3...0...0...0...,... ..Bi... ...0...x..v4...0...)...p...../.r...2.......k...e...r.}.n...e...l..B3...2..U:...:...R.+.e...a...d...F...i...l...e...(...i... ...r...8...,... ...i... ...r...2...,... ...i... ..^5...4...0...6

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\Maleriet213.arc

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	data
Category:	dropped
Size (bytes):	244482
Entropy (8bit):	1.2509108197987615
Encrypted:	false
SSDEEP:	768:ArczTS8oocp0tWLSMkXWg7PKU30gfL4Qf1AUdyM03I3xkjFlu7NDSAZd+6XYIHXd:7Yhp0ckXv78owAC3MhxqI
MD5:	E6AC7A31DA2D4322339135AD20EB0F23
SHA1:	F76C6D6EE7C9B01DB799642990AA88B140003EC4
SHA-256:	00FAD7EC11DB9706955FDF3BE0E6FB037E9F9780F94A502A774B30AB52773A94
SHA-512:	C87DABB08D092D546FF80270B052CF1C5D92D25852DBFECC139CE528CCD2A22CCE130A8C90C08117DF542E6D83DE91E92180F853C201F042BED4681D4737E75D
Malicious:	false
Preview:	............................................w.........................................................................\.............................o.............q......................................]..........................I...............!...............................................m....... ............................................................................................h......K................=............................................................r..................................W....................................................................R......................................p..0...........................................................k.........k........................d........................................................................................................................9....................................#.....A........`...9...............P.......................................................................\...............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\afsgning.for

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	data
Category:	dropped
Size (bytes):	430713
Entropy (8bit):	1.2530301266200883
Encrypted:	false
SSDEEP:	1536:vu65sFtuGbUq4CCWG9TcLs9xEEc0MVWFnhMA:2PjbUquWUYs/9x
MD5:	8ED0D91C7C65B02A5630D1A012895C3D
SHA1:	FA74C3BD3A32123D71AEA67D386B5AC251FEC260
SHA-256:	1113E4990BEF55E4CD1D868513B2305C72803FB296D559BFA9C8C93DE2EDC8AB
SHA-512:	FBE41906CCABB44E8D71D7664B756F75ABDBF0FB80BFCBBF4BBA9D9370DF4CEDBE437BA9F116B3F9E9D2AE2FB1E2D34D34F152E518A2E5E0096A506093F8DB24
Malicious:	false
Preview:	..[.Z.....?............#......................................................0.....B..x....................................................Q.......Z......................I....j............{..........................................................................................................................................-.....7..............................M........9.U...........?...............................................................X..................../.....................t...............4................,........`........~..............d............................u............{.....................a.............................5.............{...g....Z.................H................l..........................S.............................................................................................................................J...........................................U............................x.....f.............D..../....o........................QLi...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\bookishly.egg

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	data
Category:	dropped
Size (bytes):	223405
Entropy (8bit):	1.2642457624863013
Encrypted:	false
SSDEEP:	768:DDh04DrooyUGbNSipoS0yYEt0ihBLBJU06zf8VWZt+il3sVxTD6I6o9+2u5inuB4:rorpFGQVWwj9bQdun2ljrAbUGl
MD5:	96E6C0CBBACF232110DF3E7FC4B4D980
SHA1:	FC18FDD4E5417AC76F68BF507AC0BA6B9A183CFE
SHA-256:	04F64748055424253509A229EE3E6F9BFC86898CBA667DA8312333552987B610
SHA-512:	8DD22ABBED1522A08E9AC3559F5CC6871B77C1B76C2A7AA0CD61E52CA7D3A43DCBAF00285BF29C1FF885FC5F424FA411F56F19EB1886DA97CC7010BCA66530A9
Malicious:	false
Preview:	....................................{............!.............Q.............................................................................:...........z..................................W.......................... ......................................3...........y...............j................!n...............................................................................3........................+.......................a.......................c........................................)............................................................................................................................?.............................................................................................S....../.....................................................6./...t..+.......................H............{..........&................................b............................R.......x....=..................V....]........>...................................m................0.....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\etisk.hvs

Download File

Process:	C:\Users\user\Desktop\PO.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 175-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 8.000000
Category:	dropped
Size (bytes):	385914
Entropy (8bit):	1.2561626561864936
Encrypted:	false
SSDEEP:	768:++TtgE2yMxqLKoiyt4CpVdIwu3Uema6LhlEv9cCAXP69rBqGDpx/NEJKTPLqqQJl:bMFgNCAE6oLJS9a/IrOyTWq2uC
MD5:	A4946227DE4DC2A79BF473A3D09C4247
SHA1:	9FF800E6B4A72B6281D812710D00AD003F757170
SHA-256:	1F6BB50C9AC95A61782FCDE006B6E396ACEDA7794FD30FFB7D97020FD7B8059E
SHA-512:	2902630584092375E1A2FB4669437C43548BC0D0E00B2B98A3FDAEEDC57F3567B61A3FC545C8157FD410D6E26C9A70E8D989E97983700FFB55D9D1154CEBE1F4
Malicious:	false
Preview:	..................................................#..................................._............................{.........................P................$.............................................................................................}............&................g.........................................A................................................K................................................Z..............-......5.........................................................e.......d..........................................L...............0......C................).................................................................................r............Q..2........................9................(...............................................t......................................................................>.....b..8.....................n.............]..................F.....................................U...................................S.........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.460432078632097
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	PO.exe
File size:	915'632 bytes
MD5:	53441f2de2d573f3b2e4fb35c248229b
SHA1:	afc840f25adfcb5873f5b69e55b2920c370a2285
SHA256:	5bc4b28288f068f1c11e69b1cc94aacb4b0d2812494c1673471b890f1ce67a9e
SHA512:	021ba2fc3570b82daf0181f229e5e0b80a10f6a74a3f77baa4d608961c38222b03d428f82b7d5abfca6fa55cbfebc7b5e715f33ecf8f67882186b6601bfcbda2
SSDEEP:	12288:A3nIRS5/vuI8sOabBdHdWIXjwxipfpQGYAGau5yxX9O9u:A3IRgvuoO0pdZXjUiNuGYpawA9uu
TLSH:	59156949A38C50C6DD3A3B32FA1D7613B655AC138550118A3AC8BE583BF57B07B9FA31
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L......`.................f....:....

File Icon


Icon Hash:	d3672eac1a0c662c

Static PE Info

General

Entrypoint:	0x4034a2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60FC90D1 [Sat Jul 24 22:14:41 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6e7f9a29f2c85394521a08b9f31f6275

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Underretternes, O=Underretternes, L=Lannemezan, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	25/01/2024 10:16:23 24/01/2027 10:16:23
Subject Chain	CN=Underretternes, O=Underretternes, L=Lannemezan, C=FR
Version:	3
Thumbprint MD5:	B7699D9FC11FF2BC8B537A1496DBA607
Thumbprint SHA-1:	13E2B15CFFB46BFE6E63F1DDDD5D08B90EC97D8B
Thumbprint SHA-256:	B488D28F491B0130739761D68A25298DFD95A7D90A466B370C1D833271156981
Serial:	0C38DED2C7C23BE59C80206BBCC81E7BF88A1876

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080CCh]
call dword ptr [004080D0h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A8A6Ch], eax
je 00007F12B0D70303h
push ebx
call 00007F12B0D735F1h
cmp eax, ebx
je 00007F12B0D702F9h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007F12B0D7356Bh
push esi
call dword ptr [00408154h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007F12B0D702DCh
push 0000000Bh
call 00007F12B0D735C4h
push 00000009h
call 00007F12B0D735BDh
push 00000007h
mov dword ptr [007A8A64h], eax
call 00007F12B0D735B1h
cmp eax, ebx
je 00007F12B0D70301h
push 0000001Eh
call eax
test eax, eax
je 00007F12B0D702F9h
or byte ptr [007A8A6Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408298h]
mov dword ptr [007A8B38h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0079FF08h
call dword ptr [0040818Ch]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3de000	0x56ef8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xdef90	0x920	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x656c	0x6600	12117ad2476c7a7912407af0dcfcb8a7	False	0.6737515318627451	data	6.47208759712619	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1398	0x1400	e3e8d62e1d2308b175349eb9daa266c8	False	0.4494140625	data	5.137750894959169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb78	0x600	2020ca26e010546720fd467c5d087b57	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x35000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3de000	0x56ef8	0x57000	c1896e67b80e50079ebeadcac8c0d8c3	False	0.13646338451867815	data	2.5203155069997596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3de2c8	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	English	United States	0.11415584223451786
RT_ICON	0x4202f0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.17530758310658937
RT_ICON	0x430b18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.27551867219917014
RT_ICON	0x4330c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.3295028142589118
RT_ICON	0x434168	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.47074468085106386
RT_DIALOG	0x4345d0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4346d0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x4347f0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x4348b8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x434918	0x4c	data	English	United States	0.7894736842105263
RT_VERSION	0x434968	0x250	data	English	United States	0.5287162162162162
RT_MANIFEST	0x434bb8	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 19, 2024 12:57:03.739087105 CET	49716	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:04.751576900 CET	49716	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:06.751647949 CET	49716	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:07.863063097 CET	49717	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:08.876626015 CET	49717	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:10.876621008 CET	49717	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:11.987248898 CET	49718	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:13.001630068 CET	49718	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:15.001662016 CET	49718	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:16.114245892 CET	49719	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:17.126612902 CET	49719	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:19.126667976 CET	49719	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:20.237679958 CET	49720	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:21.251863003 CET	49720	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:23.251625061 CET	49720	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:24.362371922 CET	49721	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:25.376663923 CET	49721	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:27.376629114 CET	49721	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:28.534202099 CET	49722	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:29.548492908 CET	49722	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:31.548504114 CET	49722	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:32.659894943 CET	49723	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:33.673548937 CET	49723	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:35.689147949 CET	49723	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:36.784348011 CET	49724	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:37.798521042 CET	49724	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:39.814558983 CET	49724	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:40.910722971 CET	49725	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:41.923624992 CET	49725	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:43.923734903 CET	49725	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:45.037460089 CET	49726	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:46.048552036 CET	49726	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:48.048554897 CET	49726	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:49.159704924 CET	49727	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:50.173621893 CET	49727	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:52.189312935 CET	49727	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:53.285808086 CET	49728	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:54.298604965 CET	49728	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:56.298716068 CET	49728	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:57.409874916 CET	49729	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:57:58.424330950 CET	49729	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:58:00.423579931 CET	49729	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:58:01.534667969 CET	49730	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:58:02.548630953 CET	49730	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:58:04.548675060 CET	49730	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:58:05.661429882 CET	49731	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:58:06.673618078 CET	49731	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:58:08.689372063 CET	49731	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:58:09.784683943 CET	49732	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:58:10.798691988 CET	49732	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:58:12.798727036 CET	49732	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:58:13.909338951 CET	49733	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:58:14.923649073 CET	49733	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:58:16.939280033 CET	49733	80	192.168.2.8	173.249.193.48
Nov 19, 2024 12:58:20.954902887 CET	49733	80	192.168.2.8	173.249.193.48

Target ID:	0
Start time:	06:56:11
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\PO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO.exe"
Imagebase:	0x400000
File size:	915'632 bytes
MD5 hash:	53441F2DE2D573F3B2E4FB35C248229B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1853737660.0000000005213000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:56:55
Start date:	19/11/2024
Path:	C:\Users\user\Desktop\PO.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\PO.exe"
Imagebase:	0x400000
File size:	915'632 bytes
MD5 hash:	53441F2DE2D573F3B2E4FB35C248229B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.2653471033.0000000002153000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	27%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.5%
Total number of Nodes:	703
Total number of Limit Nodes:	16

Executed Functions

Function 004034A2 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004034C5
GetVersion.KERNEL32 ref: 004034CB
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034FE
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040353B
OleInitialize.OLE32(00000000), ref: 00403542
SHGetFileInfoW.SHELL32(0079FF08,00000000,?,000002B4,00000000), ref: 0040355E
GetCommandLineW.KERNEL32(007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 00403573
CharNextW.USER32(00000000,"C:\Users\user\Desktop\PO.exe",00000020,"C:\Users\user\Desktop\PO.exe",00000000,?,00000007,00000009,0000000B), ref: 004035AB

Part of subcall function 004067E3: GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
Part of subcall function 004067E3: GetProcAddress.KERNEL32(00000000,?), ref: 00406810

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036E5
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036F6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403702
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403716
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040371E
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040372F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403737
DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 0040374B

Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB

OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 00403816
ExitProcess.KERNEL32 ref: 00403837
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PO.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 0040384A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PO.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403859
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PO.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403864
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\PO.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403870
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040388C
DeleteFileW.KERNEL32(0079F708,0079F708,?,007A9000,00000009,?,00000007,00000009,0000000B), ref: 004038E6
CopyFileW.KERNEL32(C:\Users\user\Desktop\PO.exe,0079F708,00000001,?,00000007,00000009,0000000B), ref: 004038FA
CloseHandle.KERNEL32(00000000,0079F708,0079F708,?,0079F708,00000000,?,00000007,00000009,0000000B), ref: 00403927
GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403956
OpenProcessToken.ADVAPI32(00000000), ref: 0040395D
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403972
AdjustTokenPrivileges.ADVAPI32 ref: 00403995
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BA
ExitProcess.KERNEL32 ref: 004039DD

Strings

"C:\Users\user\Desktop\PO.exe", xrefs: 00403579, 0040357F, 00403773
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods, xrefs: 004036C8, 004037E8, 00403892, 0040389C
C:\Users\user\Desktop, xrefs: 00403869, 0040386E, 0040389B
~nsu, xrefs: 00403842
NSIS Error, xrefs: 00403564
SeShutdownPrivilege, xrefs: 0040396C
Low, xrefs: 00403718
UXTHEME, xrefs: 004034F2, 004034F7, 004034FD
1033, xrefs: 00403746
.tmp, xrefs: 0040385E
C:\Users\user\AppData\Local\Temp\, xrefs: 004036DA, 004036DF, 004036F5, 00403701, 00403710, 0040371D, 00403729, 00403731, 00403847, 00403858, 00403863, 0040386F, 0040387C, 0040388B, 0040393C
TMP, xrefs: 00403732
\Temp, xrefs: 004036FC
C:\Users\user\Desktop\PO.exe, xrefs: 004038F5
Error launching installer, xrefs: 004037CD
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms, xrefs: 004037F3
TEMP, xrefs: 0040372A

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\PO.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms$C:\Users\user\Desktop$C:\Users\user\Desktop\PO.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-142698326
Opcode ID: 548301c1dfa22215a8893450befa883167be07a4132e0a9c717a82b6bd7fd6f7
Instruction ID: d7b9bf8e5ec5db16f392776339999e6c5d6af7d7718e861a4dfbc7241a8cc938
Opcode Fuzzy Hash: 548301c1dfa22215a8893450befa883167be07a4132e0a9c717a82b6bd7fd6f7
Instruction Fuzzy Hash: 65D1F6B1200310AAD7207F659D49B2B3AACEB81749F10843FF581B62D1DB7D8A55C76E

Function 00405B00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B29
lstrcatW.KERNEL32(007A3F50,\*.*,007A3F50,?), ref: 00405B71
lstrcatW.KERNEL32(?,0040A014,?,007A3F50,?), ref: 00405B94
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F50,?), ref: 00405B9A
FindFirstFileW.KERNELBASE(007A3F50,?,?,?,0040A014,?,007A3F50,?), ref: 00405BAA
FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00405C4A
FindClose.KERNEL32(00000000), ref: 00405C59

Strings

P?z, xrefs: 00405B59
\*.*, xrefs: 00405B6B
"C:\Users\user\Desktop\PO.exe", xrefs: 00405B00
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B0D

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\PO.exe"$C:\Users\user\AppData\Local\Temp\$P?z$\*.*
API String ID: 2035342205-1262657124
Opcode ID: 2e078cdcde706d48225d83f3244a5f4697d9a3fc09f8fc82c0d1a14fe090b8d5
Instruction ID: d176cfcb2707c6ba555092c79fa60715814496245c058da0d6595325efdb1864
Opcode Fuzzy Hash: 2e078cdcde706d48225d83f3244a5f4697d9a3fc09f8fc82c0d1a14fe090b8d5
Instruction Fuzzy Hash: BE41D530804A15AAEB216B658D89EBF7678EF42715F14813FF801711D2DB7C5E82CE6E

Function 0040674C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,007A4F98,C:\,00405E14,C:\,C:\,00000000,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,75573420,C:\Users\user\AppData\Local\Temp\), ref: 00406757
FindClose.KERNEL32(00000000), ref: 00406763

Strings

C:\, xrefs: 0040674C

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
Instruction ID: 5230d556015edc92dacd95909e5542708b333c59f405b635cf09ddc887f28092
Opcode Fuzzy Hash: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
Instruction Fuzzy Hash: CCD012315192205FC75027386F0C84B7A599F567353264B36F0AAF21E0C6788C3286AC

Function 00403E6B Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EA7
ShowWindow.USER32(?), ref: 00403EC4
DestroyWindow.USER32 ref: 00403ED8
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EF4
GetDlgItem.USER32(?,?), ref: 00403F15
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F29
IsWindowEnabled.USER32(00000000), ref: 00403F30
GetDlgItem.USER32(?,00000001), ref: 00403FDE
GetDlgItem.USER32(?,00000002), ref: 00403FE8
SetClassLongW.USER32(?,000000F2,?), ref: 00404002
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404053
GetDlgItem.USER32(?,00000003), ref: 004040F9
ShowWindow.USER32(00000000,?), ref: 0040411A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040412C
EnableWindow.USER32(?,?), ref: 00404147
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040415D
EnableMenuItem.USER32(00000000), ref: 00404164
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040417C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040418F
lstrlenW.KERNEL32(007A1F48,?,007A1F48,00000000), ref: 004041B9
SetWindowTextW.USER32(?,007A1F48), ref: 004041CD
ShowWindow.USER32(?,0000000A), ref: 00404301

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: f1a328e51306031731dbcce9d1c3737ebdd7014b04a9a2d8d616989602e21706
Instruction ID: fd8a01c06953bfbcdc6c7a7ca4fde1a241a6ed83f8ebcdeac2000881ab9a06ac
Opcode Fuzzy Hash: f1a328e51306031731dbcce9d1c3737ebdd7014b04a9a2d8d616989602e21706
Instruction Fuzzy Hash: 67C1BFB1604604AFDB206F61ED85D2A3B78EBCA705B10853EF651B11F0CB3D9941DB6E

Function 00403ABD Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004067E3: GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
Part of subcall function 004067E3: GetProcAddress.KERNEL32(00000000,?), ref: 00406810

lstrcatW.KERNEL32(1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO.exe",00000000), ref: 00403B3E
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,75573420), ref: 00403BBE
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000), ref: 00403BD1
GetFileAttributesW.KERNEL32(Call), ref: 00403BDC
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods), ref: 00403C25

Part of subcall function 00406335: wsprintfW.USER32 ref: 00406342

RegisterClassW.USER32(007A7A00), ref: 00403C62
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C7A
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CAF
ShowWindow.USER32(00000005,00000000), ref: 00403CE5
GetClassInfoW.USER32(00000000,RichEdit20W,007A7A00), ref: 00403D11
GetClassInfoW.USER32(00000000,RichEdit,007A7A00), ref: 00403D1E
RegisterClassW.USER32(007A7A00), ref: 00403D27
DialogBoxParamW.USER32(?,00000000,00403E6B,00000000), ref: 00403D46

Strings

RichEd20, xrefs: 00403CEB
.DEFAULT\Control Panel\International, xrefs: 00403B29
"C:\Users\user\Desktop\PO.exe", xrefs: 00403AC1
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods, xrefs: 00403B4D, 00403B55, 00403BF8, 00403BFE, 00403C0E
Control Panel\Desktop\ResourceLocale, xrefs: 00403AF1
RichEd32, xrefs: 00403CF9
Call, xrefs: 00403B85, 00403B8E, 00403B9C, 00403BEB, 00403BF1
1033, xrefs: 00403ADD, 00403B39
RichEdit20W, xrefs: 00403D09, 00403D0F
C:\Users\user\AppData\Local\Temp\, xrefs: 00403AC2
RichEdit, xrefs: 00403D18
_Nb, xrefs: 00403C41, 00403CA9
.exe, xrefs: 00403BCB

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\PO.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-637729801
Opcode ID: ed5882197ad2af45622ab53baadaf8c7f939305731a510e2915a0577b65485f7
Instruction ID: 7ce8ec14a48fa11d69b3a5e1f0875b7083b8d607cd9ed6182ea3b60f82ca9994
Opcode Fuzzy Hash: ed5882197ad2af45622ab53baadaf8c7f939305731a510e2915a0577b65485f7
Instruction Fuzzy Hash: 286193702407007ED320AB669D46F2B3A7CEB85B49F40853FF941B22E2DB7D99018B6D

Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403026
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\PO.exe,00000400,?,00000007,00000009,0000000B), ref: 00403042

Part of subcall function 00405EE4: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\PO.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
Part of subcall function 00405EE4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO.exe,C:\Users\user\Desktop\PO.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 0040308E
GlobalAlloc.KERNELBASE(00000040,0000000B,?,00000007,00000009,0000000B), ref: 004031C4

Strings

Null, xrefs: 0040310C
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004031EB
"C:\Users\user\Desktop\PO.exe", xrefs: 00403015
soft, xrefs: 00403103
C:\Users\user\AppData\Local\Temp\, xrefs: 0040301C
C:\Users\user\Desktop, xrefs: 00403070, 00403075, 0040307B
Inst, xrefs: 004030FA
C:\Users\user\Desktop\PO.exe, xrefs: 0040302C, 0040303B, 0040304F, 0040306F
Error launching installer, xrefs: 00403065

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\PO.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\PO.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-125019182
Opcode ID: 08ca265c2c11c7ade98783a519f9a0a5c073a42a03571b96a4881a179354b053
Instruction ID: b65d07b499067b34cf8ea267e223a71d0fae98adc47698ec1498b1efb03bef53
Opcode Fuzzy Hash: 08ca265c2c11c7ade98783a519f9a0a5c073a42a03571b96a4881a179354b053
Instruction Fuzzy Hash: DD51D171900204ABDB119F64DD85B9E7EACEB45316F20843BE911BA2D1DB7C8F418B5D

Function 0040642B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040656C
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 0040657F
SHGetSpecialFolderLocation.SHELL32(0040548D,0079A700,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 004065BB
SHGetPathFromIDListW.SHELL32(0079A700,Call), ref: 004065C9
CoTaskMemFree.OLE32(0079A700), ref: 004065D4
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065FA
lstrlenW.KERNEL32(Call,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 00406652

Strings

Software\Microsoft\Windows\CurrentVersion, xrefs: 0040653C
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065F4
Call, xrefs: 00406455, 00406530, 00406537, 0040653B, 00406555, 00406556, 0040656B, 0040657E, 0040659A, 004065C5, 004065F9, 004065FF, 0040661B, 0040662E, 0040664B, 00406651, 0040665D, 00406690

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: aaa997f56c542f4584990acf2269000a5d9ad94e2d12eeb77129bcfb95bdb2f4
Instruction ID: 6a9894c1754425a34e634a53c322024ca71031740d406166b65bc8419ebad360
Opcode Fuzzy Hash: aaa997f56c542f4584990acf2269000a5d9ad94e2d12eeb77129bcfb95bdb2f4
Instruction Fuzzy Hash: A261F471600505ABDF249F24DD40ABE37A5AF51318F22813FE543BA2D4DB3D8AA1CB5E

Function 00405456 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(007A0F28,00000000,0079A700,755723A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,755723A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,755723A0), ref: 004054B1
SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 0decb5d3bd7311ee25dcb4cac47719bdc9880b480b93dcede20cbb014160680e
Instruction ID: 198c43ce2186877ab3aec1728abe16fb3d15ea5683a6b9ae92d40c5f72e5eea1
Opcode Fuzzy Hash: 0decb5d3bd7311ee25dcb4cac47719bdc9880b480b93dcede20cbb014160680e
Instruction Fuzzy Hash: EC21AF75900518BACB119F65DD44ACFBFB9EF89354F10802AF904B22A1C3798A81CFA8

Function 00405925 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405968
GetLastError.KERNEL32 ref: 0040597C
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405991
GetLastError.KERNEL32 ref: 0040599B

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 0040594B
C:\Users\user\Desktop, xrefs: 00405925

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1326413622
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 4c6d3c4ce34384c56ae6b54862a6db5cebbf8231f9905efb0a53c4272bf1951e
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: E1011AB1C00219EADF009FA5DD44BEFBBB8EF04314F00803AD544B6190E7789648CFA9

Function 00406773 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
wsprintfW.USER32 ref: 004067C5
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067D9

Strings

UXTHEME, xrefs: 0040677C
\, xrefs: 0040679B
%s%S.dll, xrefs: 004067BF

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 038d7fed81a94acb9f8d17f6b302bf2205b26bc145b48260013954e6d266918a
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 65F0F670510119A7CF14AB64DD0DF9B376CAB40309F10047AA646F20D0EB7C9A68CBA8

Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004032B6
GetTickCount.KERNEL32 ref: 0040333A
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403363
wsprintfW.USER32 ref: 00403376

Strings

... %d%%, xrefs: 00403370

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: a56becbd4a8c381964fcf942c118294a751433144615ef02c1157a4186d243db
Instruction ID: 008436f450556a42ebae23d461066e9f0811e1f15f23a2ec19415b9062137ceb
Opcode Fuzzy Hash: a56becbd4a8c381964fcf942c118294a751433144615ef02c1157a4186d243db
Instruction Fuzzy Hash: 86516C71900219DBDB11DF65DA84B9F7FB8AF0076AF14417BE814B72C1C7789A40CBAA

Function 00405F13 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F31
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\PO.exe",004034A0,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC), ref: 00405F4C

Strings

"C:\Users\user\Desktop\PO.exe", xrefs: 00405F13
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F18
nsa, xrefs: 00405F20

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\PO.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-979074613
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: 2ec416300cd5d099b763d3688cd3c506487cb406e2025687db32897a35dea38d
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 84F09676B00204BBDB008F55ED05E9FB7ACEB95750F10803AEA04F7140E6B499548B58

Function 6FED1777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6FED1B5F: GlobalFree.KERNEL32(?), ref: 6FED1DD4
Part of subcall function 6FED1B5F: GlobalFree.KERNEL32(?), ref: 6FED1DD9
Part of subcall function 6FED1B5F: GlobalFree.KERNEL32(?), ref: 6FED1DDE

GlobalFree.KERNEL32(00000000), ref: 6FED1825
FreeLibrary.KERNEL32(?), ref: 6FED18AB
GlobalFree.KERNEL32(00000000), ref: 6FED18D0

Part of subcall function 6FED239E: GlobalAlloc.KERNEL32(00000040,?), ref: 6FED23CF

Part of subcall function 6FED2770: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,6FED17F6,00000000), ref: 6FED2840

Part of subcall function 6FED15C6: wsprintfW.USER32 ref: 6FED15F4

Strings

, xrefs: 6FED18B1

Memory Dump Source

Source File: 00000000.00000002.1887958552.000000006FED1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FED0000, based on PE: true

Associated: 00000000.00000002.1887891856.000000006FED0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887978786.000000006FED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887995999.000000006FED6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fed0000_PO.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: ab0cdc20baf7b4a135183ee50df9feaca383426aa32e2ffeb3c7602b4b003cc9
Instruction ID: 0041d961151d1354f802e59b0920c210a0c10aa9e797ae226f6e9fbb696a22b0
Opcode Fuzzy Hash: ab0cdc20baf7b4a135183ee50df9feaca383426aa32e2ffeb3c7602b4b003cc9
Instruction Fuzzy Hash: 1341D2754003059AEF10DFB4D984BC53FA9BF06329F34416AF9169EAC6DB7CA086C761

Function 00405DCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB

Part of subcall function 00405D6E: CharNextW.USER32(?,?,C:\,?,00405DE2,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D81
Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D99

lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E24
GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,75573420,C:\Users\user\AppData\Local\Temp\), ref: 00405E34

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405DCB
C:\, xrefs: 00405DD1, 00405DD6, 00405DDC, 00405E1D, 00405E23, 00405E2B, 00405E33

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3077356548
Opcode ID: cded0a6966890639b687aa66a4455a295a884498cbe0599bea4925404aa51844
Instruction ID: 3e737dd218ce82e1fa1fef2ae0b63742eeb13cb079fe623d21add3619189c6ea
Opcode Fuzzy Hash: cded0a6966890639b687aa66a4455a295a884498cbe0599bea4925404aa51844
Instruction Fuzzy Hash: B2F0A435104E5115D632333A9D09BEF1558CE86718B19863BF8A2B22D2DB3C8A539DBE

Function 004062BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,007A0F28,00000000,?,?,Call,?,?,0040654B,80000002), ref: 00406302
RegCloseKey.KERNELBASE(?,?,0040654B,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F28), ref: 0040630D

Strings

Call, xrefs: 004062C3

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 373679b9ec00f947e58de2b720fd419a4882b2706591ab80caa015ae1ce90e84
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 56017C72510209EADF218F65CC09EDB3BA8FF54364F01803AFD5AA2190D778D964DBA4

Function 004059D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F50,Error launching installer), ref: 00405A00
CloseHandle.KERNEL32(?), ref: 00405A0D

Strings

Error launching installer, xrefs: 004059EA

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
Instruction ID: 2b341ff16c6abf5d503a25303b32c86a9a78efd9c2a610832e0bce27d8c53e5f
Opcode Fuzzy Hash: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
Instruction Fuzzy Hash: F3E0BFF46002097FEB109F64ED05F7B77ACEB44644F004525BD54F6150D7B999148A7D

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 450ddb0a52dde23e6c3e7e65707e0a17b99b7c6dada291b67ac9213214883537
Instruction ID: 3e9f44f44444eb33be3e1f1d809517d1ef13f380758e007b8d3e22890c14ce30
Opcode Fuzzy Hash: 450ddb0a52dde23e6c3e7e65707e0a17b99b7c6dada291b67ac9213214883537
Instruction Fuzzy Hash: 0301F432624220ABE7195B389D05B2A3698E751318F10C13FF855F6AF1EA78CC02DB4D

Function 004067E3 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
GetProcAddress.KERNEL32(00000000,?), ref: 00406810

Part of subcall function 00406773: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
Part of subcall function 00406773: wsprintfW.USER32 ref: 004067C5
Part of subcall function 00406773: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067D9

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
Instruction ID: 99a4bc67a8c43757839ce5658996565e88f4cb2ecc15aeea03f34014f97f3c52
Opcode Fuzzy Hash: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
Instruction Fuzzy Hash: F2E0863350521056E611AA719D44C7773AC9F89650307843EF946F2080D738DC31ABBD

Function 00405EE4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\PO.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403495,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 004059A8
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004059B6

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 379133542b1e1e7011c0d69b4b2ae41cc98c6aec5a22f3063a42931ced3e53c7
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 1EC04C71205502EEF6115B20DF48B1B7A909B50751F16843DA146E01E4DE389455D92D

Function 00405F67 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403457,00000000,00000000,0040329E,?,00000004,00000000,00000000,00000000), ref: 00405F7B

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: e146fa180a083be72d256ad1b428d57881e9eb39a1326beaade4420b40277b6a
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: E7E0EC3221065BAFDF10AEA59C04EFB7B6CEB05360F004836FD55E6150D635E9219BA8

Function 00405F96 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040340D,000000FF,00793700,?,00793700,?,?,00000004,00000000), ref: 00405FAA

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: df8aade711aef2fea4c6cc03ed90c08959c6261ddae8de931081f7d2433cde5f
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 96E08C3221021AEBDF109E608C00AEB7B6CEB00360F004433FA24E3150D634E8218BA8

Function 6FED29DF Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(6FED505C,00000004,00000040,6FED504C), ref: 6FED29FD

Memory Dump Source

Source File: 00000000.00000002.1887958552.000000006FED1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FED0000, based on PE: true

Associated: 00000000.00000002.1887891856.000000006FED0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887978786.000000006FED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887995999.000000006FED6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fed0000_PO.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4e4916dab816ed556b9f633b69b9668870c3b53007c52a4f76016cbe071fd8cc
Instruction ID: 53cf6b0af2ecf42067b91dad217aaa08d1b99ee67d71be04de57d0c3d909955d
Opcode Fuzzy Hash: 4e4916dab816ed556b9f633b69b9668870c3b53007c52a4f76016cbe071fd8cc
Instruction Fuzzy Hash: 0BF0C2B0904B80DECB50CF3CA4447093FE2FB1B325B60852AE288D6E40E3344465DB91

Function 0040625B Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F28,?,?,004062E9,007A0F28,00000000,?,?,Call,?), ref: 0040627F

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction ID: 981b209bfbc59ad728c3152e24748ded8346fc425447e23afb42b8d85bc6dac1
Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction Fuzzy Hash: 35D0123200020DBBDF11AF90ED05FAB372DAB08350F014426FE06A4091D775D530A728

Function 00404390 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A2

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
Instruction ID: 2ab46fc48b107f7ec410a0490fc1e10939948660fe742cc14426a6f165494095
Opcode Fuzzy Hash: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
Instruction Fuzzy Hash: 26C04C75784700BADA149B549E45F0677546B90701F158429B641A50D0CA78D410DA2C

Function 0040345A Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004031DA,?,?,00000007,00000009,0000000B), ref: 00403468

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Function 00404379 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004041A4), ref: 00404387

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
Instruction ID: 9ccc480ae856a8f761d654a46a9a0801f91457f8e33b58f107ae6609e89c6df3
Opcode Fuzzy Hash: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
Instruction Fuzzy Hash: 51B09235181A00AADE914B00DE09F457A62A7A4701F00C029B241240B4CAB200A4DB0A

Function 00404366 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040413D), ref: 00404370

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
Instruction ID: f32ebe17383345fd09930a0b12515434b8b37a693fa3d318b2a69664ac7713bd
Opcode Fuzzy Hash: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
Instruction Fuzzy Hash: 97A00176405540AFEE029B61EF09D4ABB72ABA9701B4185B9A286A0034CB364860EB1D

Function 6FED2AF8 Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 6FED2BB7

Memory Dump Source

Source File: 00000000.00000002.1887958552.000000006FED1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FED0000, based on PE: true

Associated: 00000000.00000002.1887891856.000000006FED0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887978786.000000006FED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887995999.000000006FED6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fed0000_PO.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: d4ee432405c3c649eff9256a27f8945b820e669057d127603ceafa5b3e71cb56
Instruction ID: e2d90521904b929d8547877318e4dab9e105db2d37769a0f9a32968635f2522b
Opcode Fuzzy Hash: d4ee432405c3c649eff9256a27f8945b820e669057d127603ceafa5b3e71cb56
Instruction Fuzzy Hash: B1418171804704DFDF24DFA8E984B597F76EB66368F30842AF404CAE50D734A9578B91

Function 6FED121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,6FED123B,?,6FED12DF,00000019,6FED11BE,-000000A0), ref: 6FED1225

Memory Dump Source

Source File: 00000000.00000002.1887958552.000000006FED1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FED0000, based on PE: true

Associated: 00000000.00000002.1887891856.000000006FED0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887978786.000000006FED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887995999.000000006FED6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fed0000_PO.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 3dc8f0f7c7aa1a527f2907322ca173f947e69b10cd7415a7e644a7b5f38d7f82
Instruction ID: 1ba57615d79ca68972dcfeecee68e7c292fcf3042603df015ec7ae3246b06e80
Opcode Fuzzy Hash: 3dc8f0f7c7aa1a527f2907322ca173f947e69b10cd7415a7e644a7b5f38d7f82
Instruction Fuzzy Hash: 0EB01270A00500DFEF009B68DD46F343A55F703311F044001F600C0580C12048208935

Non-executed Functions

Function 6FED1B5F Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6FED121B: GlobalAlloc.KERNELBASE(00000040,?,6FED123B,?,6FED12DF,00000019,6FED11BE,-000000A0), ref: 6FED1225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 6FED1C8D
lstrcpyW.KERNEL32(00000008,?), ref: 6FED1CD5
lstrcpyW.KERNEL32(00000808,?), ref: 6FED1CDF
GlobalFree.KERNEL32(00000000), ref: 6FED1CF2
GlobalFree.KERNEL32(?), ref: 6FED1DD4
GlobalFree.KERNEL32(?), ref: 6FED1DD9
GlobalFree.KERNEL32(?), ref: 6FED1DDE
GlobalFree.KERNEL32(00000000), ref: 6FED1FC8
lstrcpyW.KERNEL32(?,?), ref: 6FED2182
GetModuleHandleW.KERNEL32(00000008), ref: 6FED2201
LoadLibraryW.KERNEL32(00000008), ref: 6FED2212
GetProcAddress.KERNEL32(?,?), ref: 6FED226C
lstrlenW.KERNEL32(00000808), ref: 6FED2286

Memory Dump Source

Source File: 00000000.00000002.1887958552.000000006FED1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FED0000, based on PE: true

Associated: 00000000.00000002.1887891856.000000006FED0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887978786.000000006FED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887995999.000000006FED6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fed0000_PO.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: c53120b22f55282d3afe0da8a0c621f25e6057fd3e0a620b5b17be4e2c95a6da
Instruction ID: 34a3e1dc7952550ad51dc40e277fcb4c9ca09d3d71bf900dc86875234c8e23ea
Opcode Fuzzy Hash: c53120b22f55282d3afe0da8a0c621f25e6057fd3e0a620b5b17be4e2c95a6da
Instruction Fuzzy Hash: F2227A71D04605DAEB108FE8CA806EDBFB5FF16319F30862EF165E6A80D77865838B51

Function 0040603A Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061D5,00000000,00000000), ref: 00406075
GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 0040607E

Part of subcall function 00405E49: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E59
Part of subcall function 00405E49: lstrlenA.KERNEL32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E8B

GetShortPathNameW.KERNEL32(?,007A5DE8,00000400), ref: 0040609B
wsprintfA.USER32 ref: 004060B9
GetFileSize.KERNEL32(00000000,00000000,007A5DE8,C0000000,00000004,007A5DE8,?), ref: 004060F4
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406103
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 0040613B
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A51E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 00406191
GlobalFree.KERNEL32(00000000), ref: 004061A2
CloseHandle.KERNEL32(00000000), ref: 004061A9

Part of subcall function 00405EE4: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\PO.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
Part of subcall function 00405EE4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A

Strings

]z, xrefs: 00406090
%ls=%ls, xrefs: 004060AF
Uz, xrefs: 00406063
[Rename], xrefs: 00406123, 00406135

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$Uz$]z
API String ID: 2171350718-2939442745
Opcode ID: 0ed23fd09f20e9f0b0e4ce5e0ebdd9c0c92abb0a06c9999cd82c312b58dee0fa
Instruction ID: 03fe7b931bffc2b02635af9c10f4e714808f3729e90155368a1b4a6ed52067ca
Opcode Fuzzy Hash: 0ed23fd09f20e9f0b0e4ce5e0ebdd9c0c92abb0a06c9999cd82c312b58dee0fa
Instruction Fuzzy Hash: 44312370600B05BFD6206B618D48F6B3A6CDF86744F15013AFD42FA2C3DA3C99218ABD

Function 0040669D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406700
CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040670F
CharNextW.USER32(?,00000000,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406714
CharPrevW.USER32(?,?,75573420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\PO.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406727

Strings

"C:\Users\user\Desktop\PO.exe", xrefs: 0040669D
C:\Users\user\AppData\Local\Temp\, xrefs: 0040669E
*?|<>/":, xrefs: 004066EF

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\PO.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-3284517277
Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction ID: 12c80e2bf748d1a62cb3884e1ae38c2d534281e125f75e63bd15dfe73c9398b2
Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction Fuzzy Hash: E711EB15800A1255DB303B148C84A7763F8EF947A4F56443FED86732C0E77D4C9286BD

Function 004043AB Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043C8
GetSysColor.USER32(00000000), ref: 00404406
SetTextColor.GDI32(?,00000000), ref: 00404412
SetBkMode.GDI32(?,?), ref: 0040441E
GetSysColor.USER32(?), ref: 00404431
SetBkColor.GDI32(?,?), ref: 00404441
DeleteObject.GDI32(?), ref: 0040445B
CreateBrushIndirect.GDI32(?), ref: 00404465

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction ID: 7fe0b9bd09f79c55d2aa0e3576d5328f94b18663b05207f77db8afc097fd36db
Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction Fuzzy Hash: F62174B15007049BCB319F78D948F5BBBF8AF80714B048A3EE9D2A26E1C734E905CB58

Function 6FED161D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,6FED2238,?,00000808), ref: 6FED1635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,6FED2238,?,00000808), ref: 6FED163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,6FED2238,?,00000808), ref: 6FED1650
GetProcAddress.KERNEL32(8"o,00000000), ref: 6FED1657
GlobalFree.KERNEL32(00000000), ref: 6FED1660

Strings

8"o, xrefs: 6FED1653

Memory Dump Source

Source File: 00000000.00000002.1887958552.000000006FED1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FED0000, based on PE: true

Associated: 00000000.00000002.1887891856.000000006FED0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887978786.000000006FED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887995999.000000006FED6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fed0000_PO.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID: 8"o
API String ID: 1148316912-781327480
Opcode ID: fbfb4ece58a4cff4dcbfedfcb11fad814b76b30ccbe539bcacff7bad798a9208
Instruction ID: e8294087522b29c574c68c6451a96a2147fcb073d34d94007455b96916535b60
Opcode Fuzzy Hash: fbfb4ece58a4cff4dcbfedfcb11fad814b76b30ccbe539bcacff7bad798a9208
Instruction Fuzzy Hash: F5F01C722065387BDA2117A69C4CC9BBE9DEF9B2F5B110212F628E21D086614C11DBF2

Function 00402F2B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
MulDiv.KERNEL32(000DED8A,00000064,000DF8B0), ref: 00402F74
wsprintfW.USER32 ref: 00402F84
SetWindowTextW.USER32(?,?), ref: 00402F94
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402FA6

Strings

verifying installer: %d%%, xrefs: 00402F7E

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: e04d04eb7b63203ce5fd1c353c1d281d58231c4b0d3ff082bc1608e2171a15b6
Instruction ID: 448c993359d53400b231c8c55bc41b2c2aaf26e1e6946bd82a433317a94b79bc
Opcode Fuzzy Hash: e04d04eb7b63203ce5fd1c353c1d281d58231c4b0d3ff082bc1608e2171a15b6
Instruction Fuzzy Hash: 1101FF70640209BBEF209F60DE4AFAA3B79EB04349F008039FA16A51D1DBB999559F58

Function 6FED25B5 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6FED121B: GlobalAlloc.KERNELBASE(00000040,?,6FED123B,?,6FED12DF,00000019,6FED11BE,-000000A0), ref: 6FED1225

GlobalFree.KERNEL32(?), ref: 6FED26A3
GlobalFree.KERNEL32(00000000), ref: 6FED26D8

Memory Dump Source

Source File: 00000000.00000002.1887958552.000000006FED1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FED0000, based on PE: true

Associated: 00000000.00000002.1887891856.000000006FED0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887978786.000000006FED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887995999.000000006FED6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fed0000_PO.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: d66f7326f434a82e3ec24f709bafb3a5bc71eea5cf74f2bb26148811d47b0e92
Instruction ID: 6f1ac9b77f12d60ed6e3e0002cab39e361ec0b962e6700e4ef184e2930e6bd1a
Opcode Fuzzy Hash: d66f7326f434a82e3ec24f709bafb3a5bc71eea5cf74f2bb26148811d47b0e92
Instruction Fuzzy Hash: B9319031508701EFDB159F68D984C2A7FB6FBA7314724466EF11187E90C732A817DB62

Function 6FED18D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 6FED193A
GlobalFree.KERNEL32(?), ref: 6FED1ADA
GlobalFree.KERNEL32(?), ref: 6FED1ADF

Memory Dump Source

Source File: 00000000.00000002.1887958552.000000006FED1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FED0000, based on PE: true

Associated: 00000000.00000002.1887891856.000000006FED0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887978786.000000006FED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887995999.000000006FED6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fed0000_PO.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 62c31fd59a14721266fd9097f95e048380db7aeef43f4812a70c4b6f1fb16cac
Instruction ID: d01ccfe21561ca759511a68a7b8f3d41edd830982a1036b28df654fc5d6edcb1
Opcode Fuzzy Hash: 62c31fd59a14721266fd9097f95e048380db7aeef43f4812a70c4b6f1fb16cac
Instruction Fuzzy Hash: 6851E331D042599ABB089FF886405ADBFB6EF4539CB30425BF410A7B50D779BE838791

Function 6FED23E0 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 6FED2522

Part of subcall function 6FED122C: lstrcpynW.KERNEL32(00000000,?,6FED12DF,00000019,6FED11BE,-000000A0), ref: 6FED123C

GlobalAlloc.KERNEL32(00000040), ref: 6FED24A8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 6FED24C3

Memory Dump Source

Source File: 00000000.00000002.1887958552.000000006FED1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FED0000, based on PE: true

Associated: 00000000.00000002.1887891856.000000006FED0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887978786.000000006FED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887995999.000000006FED6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fed0000_PO.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 570afa3a76dbc131e3de361d7f9701e6f87766219bf039cb45e5dee465dc5933
Instruction ID: d53ec1db57eccfea6d1c2302bca6ed4f4848054ae7f06e767ea6e04da2631996
Opcode Fuzzy Hash: 570afa3a76dbc131e3de361d7f9701e6f87766219bf039cb45e5dee465dc5933
Instruction Fuzzy Hash: A341C1B0448309DFD7149FB8D940A667FB9FFA6314B20891EF84586E81D734A547CB62

Function 00405D6E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\,?,00405DE2,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,75573420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
CharNextW.USER32(00000000), ref: 00405D81
CharNextW.USER32(00000000), ref: 00405D99

Strings

C:\, xrefs: 00405D6F

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: a494e05d27702b27be76eb2108b1f7c475580a471c546fdda9206c4fb56a95c9
Instruction ID: 839f6a4cd7818f8bbcc29dd9d6e935739f9a8baf6e4a15472bca77c663bd0c43
Opcode Fuzzy Hash: a494e05d27702b27be76eb2108b1f7c475580a471c546fdda9206c4fb56a95c9
Instruction Fuzzy Hash: 1FF09022920F1296DB3177545C4DE7B5BB8EF54760B00C43BE601B72C1E3B84C818EAA

Function 00405CC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040348F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00405CC9
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040348F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00405CD3
lstrcatW.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405CE5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC3

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-4083868402
Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction ID: 20018de61182ae54b5e078598b4ece42ca391df12eccfc729252e8f5514d5294
Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction Fuzzy Hash: 78D0A731101A30AAD1117B448D04CDF629CFE85304341403BF202B30A2C77C1D5387FD

Function 00402FB1 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040318F,00000001,?,00000007,00000009,0000000B), ref: 00402FC4
GetTickCount.KERNEL32 ref: 00402FE2
CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00402FFF
ShowWindow.USER32(00000000,00000005,?,00000007,00000009,0000000B), ref: 0040300D

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 5e41244d60e94df7afa5422e741b36603cd51d1290bb4582c8306ab25b36019d
Instruction ID: 8c281f3aa7e88f802b7d8bba4993e69035ed424970cff038758a163d63a680ad
Opcode Fuzzy Hash: 5e41244d60e94df7afa5422e741b36603cd51d1290bb4582c8306ab25b36019d
Instruction Fuzzy Hash: 3AF0BE30506221ABC2616F60FE0CA8B3B78FB44B51705C83BF101F11E4CB3808819B9D

Function 00403A28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,75573420,00000000,C:\Users\user\AppData\Local\Temp\,00403A00,00403816,00000007,?,00000007,00000009,0000000B), ref: 00403A42
GlobalFree.KERNEL32(009906A0), ref: 00403A49

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A28

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-4083868402
Opcode ID: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
Instruction ID: 10b089f61d7fd26560bcfb3f790e8945b6a0be01d7b58778b04adbc7300f8739
Opcode Fuzzy Hash: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
Instruction Fuzzy Hash: 64E0123360112057C6215F45FE0475ABB7D6F49B26F06803BE9C0BB26087785C838FD8

Function 00405D0F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO.exe,C:\Users\user\Desktop\PO.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D15
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\PO.exe,C:\Users\user\Desktop\PO.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D25

Strings

C:\Users\user\Desktop, xrefs: 00405D0F

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-1876063424
Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction ID: 3b4219a6871f3e4e2040e57eeeef2aaac809f1ec38f5d31038b50c09059f2d31
Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction Fuzzy Hash: 97D05EB34109209AE3127704DC0599F73E8EF5530074A8467E541A61A5D7785C818AAC

Function 6FED10E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 6FED116A
GlobalFree.KERNEL32(00000000), ref: 6FED11C7
GlobalFree.KERNEL32(00000000), ref: 6FED11D9
GlobalFree.KERNEL32(?), ref: 6FED1203

Memory Dump Source

Source File: 00000000.00000002.1887958552.000000006FED1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6FED0000, based on PE: true

Associated: 00000000.00000002.1887891856.000000006FED0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887978786.000000006FED4000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1887995999.000000006FED6000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6fed0000_PO.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 3b660b67e2c24ce75449a625602c9bbbb1a289ae3e517049a96790e9f43b7423
Instruction ID: d2e4d12f0b4302fe4f2d22481c92802c54d1873d4edccef7e26f0ae8d3565f60
Opcode Fuzzy Hash: 3b660b67e2c24ce75449a625602c9bbbb1a289ae3e517049a96790e9f43b7423
Instruction Fuzzy Hash: 24319EB25003159FFB008FE8E945A65BFEDEB47225720421BF840D7A54E73DE8128760

Function 00405E49 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E59
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E71
CharNextA.USER32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E82
lstrlenA.KERNEL32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E8B

Memory Dump Source

Source File: 00000000.00000002.1852072750.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1852034709.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852099843.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852155535.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1852594307.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_PO.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: a1795947179755a411c98c1569971d2b6f4e38ea7894d212e8297337e4f71977
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: E2F06231504514FFD7129BA5DD409AEBBA8EF06250B2540BAE884FB250D674DF029BE9

Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp, PO.exe, 00000003.00000002.2677713944.0000000034160000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bin
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bin$
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bin)
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bin4
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bin8
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.binH
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.binN
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.binP
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bin_8
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.binf-9bc86c8e8c94k
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bing
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.binj
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bink
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.binl
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.binp
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bint
Source: PO.exe, 00000003.00000002.2657641573.0000000004C74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bin~
Source: PO.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: PO.exe, 00000003.00000001.1851856220.0000000000649000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: PO.exe, 00000003.00000001.1851856220.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: PO.exe, 00000003.00000001.1851856220.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: PO.exe, 00000003.00000001.1851856220.0000000000649000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report PO.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Common Files\kvindagtigt.ini

C:\Users\user\AppData\Local\Temp\nsz4B76.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms\leakers.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms\persongalleriers.una

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms\porkiest.mis

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Mutuary.civ

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\Cresotinate.Oml

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\Maleriet213.arc

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\afsgning.for

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\bookishly.egg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\etisk.hvs

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Sections

Windows Analysis Report
PO.exe

Function 004034A2 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Function 00405B00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403E6B Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 00403ABD Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 0040642B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Function 00405456 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Function 00405925 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 00406773 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Function 00405F13 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 6FED1777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00405DCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Function 004062BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Function 004059D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON