Windows Analysis Report
DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

ID:	798398
Product:	CloudBasic
Start time:	03:44:08
Start date:	04.02.2023
Sample:	DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	91c0c4710db096a4689d40e2ceb3814d
SHA1:	63880c602b960c5f91e55cbe4d5d18c7b8f1d63a
SHA256:	a4d4961d124ea4276512c1584f1ebd30951cd469659b3a623594d6361772fae7
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\Hynde.Una	ASCII text, with very long lines (34794), with no line terminators	DD18A90498456DFCAE95A46AFC33C475	65AB8F8342AF9C08FE39E7664E3DF9C9646DF211	856D7590AB2EFC8C760BC37D652D5AE8A5DE982891ADB7A678E43A91D268DDE9
C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\Rouleredes.coe	data	B32FFE1EC6ECA11009C35A0829450CB1	146529AFE038064ED79CAE0C62B108A14276D459	151A299FCA8F459B7670EA4922931161D6E8024B19F1C723130F6576ACBDBC83
C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\checkbox_checked.png	PNG image data, 32 x 32, 2-bit colormap, non-interlaced	0CA13C84736F193C4DDC36408B63EB79	DAF222B1B08D7F2645FDC2E25E63BE2AA50E9B79	9B7DA86B40E8FE9DA37BA2A4337C9BCE14B07153A9722DD3DE7772C1C5933DED
C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\multimedia-volume-control-symbolic.svg	SVG Scalable Vector Graphics image	367D90E6DF90CE72BAD009701DC3D941	C2070B79640687DBB8A64BFAC953CFA7625F7FFF	2F11A00CC5DD755C1E5054AEF16CE293716532140B3DDB0F0623ABD460F99571
C:\Users\user\AppData\Local\Deskriptiv155\Hjertere\phone-symbolic.svg	SVG Scalable Vector Graphics image	DA3858070B89AA5D3B4D5FC724BED12F	A923CDD523E0519E96147A05DE6D0024135127E4	3CC19ADDFE48119EB91D48E7FE510920394DC96F3006C384FFD4F63B92A73480
C:\Users\user\AppData\Local\Temp\nshED40.tmp	data	E0FD6297CF0E89D773C0AE44ED514229	EE4E3DEC2FFAD8B11887DD600B3A5D75982F0170	5511DCF0AEFA2FDE583BEB5703774277C3ECB68B48AFA8B5D7F89F641B1F87F3
C:\Users\user\AppData\Local\Temp\nshED41.tmp\System.dll	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows	17ED1C86BD67E78ADE4712BE48A7D2BD	1CC9FE86D6D6030B4DAE45ECDDCE5907991C01A0	BD046E6497B304E4EA4AB102CAB2B1F94CE09BDE0EEBBA4C59942A732679E4EB

AV Detection

Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	ReversingLabs: Detection: 47%
Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	Virustotal: Detection: 45%			Perma Link

Compliance

Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Spreading

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	Code function: 0_2_00406555 FindFirstFileW,FindClose,		0_2_00406555
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	Code function: 0_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00405A03
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	Code function: 0_2_0040287E FindFirstFileW,		0_2_0040287E

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts			Jump to behavior
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows			Jump to behavior

Networking

Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Key, Mouse, Clipboard, Microphone and Screen Capturing

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Code function: 0_2_004054B0 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,FindCloseChangeNotification,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004054B0

System Summary

Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Code function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040344A

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

File created: C:\Windows\resources\0409

Jump to behavior

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	Code function: 0_2_004068DA		0_2_004068DA
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	Code function: 0_2_00404CED		0_2_00404CED

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Process Stats: CPU usage > 98%

Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	ReversingLabs: Detection: 47%
Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	Virustotal: Detection: 45%

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

File read: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Jump to behavior

Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Code function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040344A

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

File created: C:\Users\user\AppData\Local\Deskriptiv155

Jump to behavior

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nshED3F.tmp

Jump to behavior

Source: classification engine

Classification label: mal48.winEXE@1/7@0/0

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Code function: 0_2_00402104 CoCreateInstance,

0_2_00402104

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Code function: 0_2_00404771 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404771

Source: DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Code function: 0_2_10002DE0 push eax; ret

0_2_10002E0E

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Persistence and Installation Behavior

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nshED41.tmp\System.dll

Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	Code function: 0_2_00406555 FindFirstFileW,FindClose,		0_2_00406555
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	Code function: 0_2_00405A03 CloseHandle,GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00405A03
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	Code function: 0_2_0040287E FindFirstFileW,		0_2_0040287E

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	API call chain: ExitProcess graph end node
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	API call chain: ExitProcess graph end node

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming			Jump to behavior
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	File opened: C:\Users\user			Jump to behavior
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft			Jump to behavior
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	File opened: C:\Users\user\AppData			Jump to behavior
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Printer Shortcuts			Jump to behavior
Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows			Jump to behavior

Anti Debugging

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Code function: 0_2_10001B18 GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_10001B18

Language, Device and Operating System Detection

Source: C:\Users\user\Desktop\DPR602859651100125001V1100125154830E 3-2-2023#U00b7pdf.exe

Code function: 0_2_0040344A EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_0040344A