Edit tour

Windows Analysis Report
D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Overview

General Information

Sample name:	D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe renamed because original name is a hash value
Original sample name:	DZELTLD SZLEME-pdf.bat.exe
Analysis ID:	1518274
MD5:	8681ab3286a883dbfaad479b99aef9d1
SHA1:	c3df94522f79f288c5178083bb3085bb61f6ce01
SHA256:	3c74c62451d876da8642fc1b4f1e689b7b6d03aa74dd9baa0aefde62cd3c13b5
Tags:	exeguloaderuser-malwarelabnet
Infos:

Detection

GuLoader

Score:	64
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe (PID: 7468 cmdline: "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe" MD5: 8681AB3286A883DBFAAD479B99AEF9D1)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3731251224.0000000004A2C000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

ReversingLabs: Detection: 28%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.2% probability

Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Code function: 0_2_0040687E FindFirstFileW,FindClose,	0_2_0040687E
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Code function: 0_2_00405C2D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C2D
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Code function: 0_2_004056E5 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_004056E5

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Code function: 0_2_004034FC EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,lstrlenW,wsprintfW,GetFileAttributesW,DeleteFileW,SetCurrentDirectoryW,CopyFileW,OleUninitialize,ExitProcess,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034FC

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Code function: 0_2_00406C3F		0_2_00406C3F
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Code function: 0_2_701C1BFF		0_2_701C1BFF

Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamenygifte.exe4 vs D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Binary or memory string: OriginalFilenamenygifte.exe4 vs D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal64.troj.evad.winEXE@1/9@0/0

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

0_2_004034FC

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Code function: 0_2_00404991 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,

0_2_00404991

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Code function: 0_2_004021AF CoCreateInstance,

0_2_004021AF

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

File created: C:\Users\user\polaritets

Jump to behavior

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

File created: C:\Users\user~1\AppData\Local\Temp\nsm4210.tmp

Jump to behavior

Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

ReversingLabs: Detection: 28%

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

File read: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Jump to behavior

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3731251224.0000000004A2C000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Code function: 0_2_701C1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_701C1BFF

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Code function: 0_2_701C30C0 push eax; ret

0_2_701C30EE

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nss458C.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

RDTSC instruction interceptor: First address: 50DF5D4 second address: 50DF5D4 instructions: 0x00000000 rdtsc 0x00000002 cmp cx, EA24h 0x00000007 cmp ebx, ecx 0x00000009 jc 00007FBE2144F33Ch 0x0000000b test ebx, 1A4ED6F3h 0x00000011 inc ebp 0x00000012 inc ebx 0x00000013 test dx, bx 0x00000016 rdtsc

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nss458C.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Code function: 0_2_0040687E FindFirstFileW,FindClose,	0_2_0040687E
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Code function: 0_2_00405C2D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_00405C2D
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	Code function: 0_2_00402910 FindFirstFileW,	0_2_00402910

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	API call chain: ExitProcess graph end node			graph_0-4910
Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	API call chain: ExitProcess graph end node			graph_0-4913

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Code function: 0_2_701C1BFF GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_701C1BFF

Source: C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

0_2_004034FC

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	29%	ReversingLabs	Win32.Trojan.Guloader

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nss458C.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1518274
Start date and time:	2024-09-25 14:58:19 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 13s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe renamed because original name is a hash value
Original Sample Name:	DZELTLD SZLEME-pdf.bat.exe
Detection:	MAL
Classification:	mal64.troj.evad.winEXE@1/9@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 54 Number of non-executed functions: 31
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nss458C.tmp\System.dll	UMOWA_PD.BAT.exe	Get hash	malicious	FormBook, GuLoader	Browse
	UMOWA_PD.BAT.exe	Get hash	malicious	GuLoader	Browse
	Payment_Advice.1.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Payment_Advice..exe	Get hash	malicious	FormBook, GuLoader	Browse
	Payment_Advice..exe	Get hash	malicious	GuLoader	Browse
	Payment_Advice.1.bat.exe	Get hash	malicious	GuLoader	Browse
	Payment_Advice..exe	Get hash	malicious	GuLoader	Browse
	Payment_Advice..exe	Get hash	malicious	GuLoader	Browse
	Overdoers.exe	Get hash	malicious	FormBook, GuLoader	Browse
	Pedido_52038923_CotizacionS_max2024.bat.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nss458C.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	12288
Entropy (8bit):	5.805604762622714
Encrypted:	false
SSDEEP:	192:VjHcQ0qWTlt7wi5Aj/lM0sEWD/wtYbBjpNQybC7y+XZv0QPi:B/Qlt7wiij/lMRv/9V4bvr
MD5:	4ADD245D4BA34B04F213409BFE504C07
SHA1:	EF756D6581D70E87D58CC4982E3F4D18E0EA5B09
SHA-256:	9111099EFE9D5C9B391DC132B2FAF0A3851A760D4106D5368E30AC744EB42706
SHA-512:	1BD260CABE5EA3CEFBBC675162F30092AB157893510F45A1B571489E03EBB2903C55F64F89812754D3FE03C8F10012B8078D1261A7E73AC1F87C82F714BCE03D
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: UMOWA_PD.BAT.exe, Detection: malicious, Browse Filename: UMOWA_PD.BAT.exe, Detection: malicious, Browse Filename: Payment_Advice.1.bat.exe, Detection: malicious, Browse Filename: Payment_Advice..exe, Detection: malicious, Browse Filename: Payment_Advice..exe, Detection: malicious, Browse Filename: Payment_Advice.1.bat.exe, Detection: malicious, Browse Filename: Payment_Advice..exe, Detection: malicious, Browse Filename: Payment_Advice..exe, Detection: malicious, Browse Filename: Overdoers.exe, Detection: malicious, Browse Filename: Pedido_52038923_CotizacionS_max2024.bat.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...S.d...........!....."..................@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text.... .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.......*..............@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\polaritets\Brugerudtalelsen30.Pan

Download File

Process:	C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	350435
Entropy (8bit):	7.65262084357849
Encrypted:	false
SSDEEP:	6144:mKb/u4/ufpUdDwQDQPAVFfRSWT7FvrCeeFDLLyDTn3x/oq289/8jwxQVAvq:3/u4ufpU+yQPcRSWF+xB+L3NoqlW8x9C
MD5:	9AD9B86B31C31D272945A6FBEE0F02CC
SHA1:	8801326C827A8136F8FBB3CFEA4A18CF724B7DB3
SHA-256:	29E6367EA7491895A7886488D1B9728B4175EFB2A565B1A698EB5AE2E7661F5F
SHA-512:	2F458F6498316512FA1DCDB6A7F337BE8E0E034C9C660B89323C04931D5770FDB4B85C002462287242CD8B71DF6A6DEC7786FA1764EF82D2EEEB560EE3E46514
Malicious:	false
Reputation:	low
Preview:	..WW..1.ZZZZZZZ.p.%..............ffff........... .3....RR..........2...........z...........HHHHHHH....WW...+++........hh..................[[[..............{.......>.....................F.....................;;.........TT...........................\|...........b...+..x....#.u..M8.e5.L.).,..........A.....h- .]N......?......./...=ild\|3.4...TgtK...EQ.BY..7z;.}..p..........j%9.:qS...{...G...._F.....&....'f....h..F.....@a..ZV....b>.......HH..6.".2...........D....<..(1..OwC.......f.......:.'.....$.K@.........J..s........m.Ro\...W^...5."A..0.....5f.........+..x....#.u..M8.e5.L.).,...2C.......6......h- .]N......?......./...=ild\|3.4...TgtK...EQ.,.f......%Y..7z;.}..p.j%9.:qS...{...G...._F.........w.C.&....@a..ZV....b>.......HH..6.".2...........D....<..(1..OwC..n..A...f....B......'.....$.K@.........J..s........m.Ro\...W^...5."A..0....f...f.q....+..x....#.u..M8.e5.L.).,......f.b..A.....h- .]N......?......./...=ild\|3.4...TgtK...EQ.BY..7z;.}..p.......f.g

C:\Users\user\polaritets\Cronstedtite.Blo187

Download File

Process:	C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	143392
Entropy (8bit):	4.6129056498521
Encrypted:	false
SSDEEP:	1536:Tv6vTAGdJBwl0FwPFn1sya482iCr/F3OeQCWybIFGvMXhgdB0Rz0Ci3/DfeXc:WUgC0aB1PaCiCrxOL+yG0Xe850CkeM
MD5:	0D2B0FFC862A504CD5D61DD8E1C254F9
SHA1:	178BF178CAEEFCA4B824F3ACDF0C6A48362C1132
SHA-256:	F4D66D740C59C00A53D4116541DB7D08B440D38EB993872F143360B0949ED9DC
SHA-512:	E4177B9D2B5E11AD639F16B044A792230DED1D55B2EF98321C2FC6D7AA13B0BE139075218AF263D1FDA10944FF28F01D97FE0C56DB934F610F97336FC3B007CA
Malicious:	false
Reputation:	low
Preview:	...........C..........nn.............i......5555555..........4....... ....\.......<<.....:::::...........II.....}........\\.PPPPP.....N..y......4...OO.....k.....................\|..................................DD......................22222..[[[..p.v..;;;;.............q............................V.....FFFF......T.55......\\\......ll.......:.TTT.....e.'./..F...............//////......y........::......!!....GGG.........o...........................5....33333..999.............9....................gg............LLL.\\.........................k..............6..0...0..HH."......7......U.x.[.................................................p........................=....<........J...........d.I.....................C........&&&&&&....#.~.....""..............vvvvv............@..hh......................ii.........'''.'.'..ff............1....ZZZ.w.......A.............................o......t..............7.KKKK...............###....8.....ggggg....ddddd......................k.............ss........

C:\Users\user\polaritets\Observationsposters.tor

Download File

Process:	C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	97664
Entropy (8bit):	1.2371741628878217
Encrypted:	false
SSDEEP:	768:XEFQJPKWWG5ARWTJqBshVmdboj6UJY3VBCwYw2ZDRnv+mRQN:XUE/m2O3N
MD5:	2B4D5FD79400969869ED030F4803BE99
SHA1:	163C23302E2DA2B2265A7CD7ED08BE16A3853DCA
SHA-256:	49C47AAA67085C8B38D02DC0F1F792E83FA17D41CE16927888C9085F530E9DB4
SHA-512:	7EE103CCCC54B148E7AD62F37FF4ACFC4438436C6F75D15E5248CB19643348C70F2B63062712817002CE4D173E51A7A0C8B3851FCD0FC0D6E1302838909B1C2D
Malicious:	false
Reputation:	low
Preview:	...........4................................................K..............................................W.......................................N........................................................@...5..................o............................................)............................................................~....=.................................................................................2................................................5.........................!....................................f.....k....%..................................................................................H...............%.@....................................(...........$.................V..........................................................6..6...........................................................................\|....\................................................_........................y...................................................................6..

C:\Users\user\polaritets\drupes.ret

Download File

Process:	C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	244138
Entropy (8bit):	1.252663089946015
Encrypted:	false
SSDEEP:	768:cv49C5wBVa5O2Fx8p7KLOTSo3NTuAG15VTvfAX+H7v+uQVsfpqSC26Pn6DD/SNsg:JBQxurv96jREO3X2r
MD5:	BBD77A921062C9B6CBF4BEDFF50E1514
SHA1:	C25712C5F69E016A364E8898B59E7229E3C5E7A4
SHA-256:	E2882B3589FF6D9FA79AC2D88FC8DE8FD94BA046E8B9796203A4916C73731EAD
SHA-512:	9BDFC20EFFD587EC19B524E36D392F4863C8242C8D4C8C7F81164A0E0DF84C5BF1633400873D0F68C40079113F9F2568706642334FCFDCCE4C6E0B1D7D5FB660
Malicious:	false
Reputation:	low
Preview:	....'........................`............Z......`.................................$..................S........J.........................................................................................................................................................................-........................N....E.......................y.........................................A..........k.............................2...............................%.........................................P.........................................e........................w.....................p.........................o.......................................F........)........................................~................................................................u.....................................................<...............................}.9......................^.................c.................A..............O.........................................................................\|.

C:\Users\user\polaritets\quodlibetic.fes

Download File

Process:	C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	438128
Entropy (8bit):	1.2562406175237242
Encrypted:	false
SSDEEP:	1536:zN/79C7p5KmH/e6grFLDiN8w27kdDZK5M9aR:hyp5K4e6kFLoMV
MD5:	E883CEF7CF2793E15A52C9BAC1CDE472
SHA1:	1D4973110569354FA072BA3AFF0BD21EA0DF109A
SHA-256:	2FF67336CFEEE418E565B0C79855927FC0CD0B1E9F2F40A59F1CB7EF2328635A
SHA-512:	372BE015C3FA19C0EEAA981803900CA088B92188187A69697EEE808068F8033225BFD2927E2DB54EABEECAC05A421DC6CCCABFE19F39788B4F6D4E6F80CE04A5
Malicious:	false
Reputation:	low
Preview:	......q......y........................".........................................-....................................................n#............................Jj.........................................................................w.........................$................................................................i.............j.....K...................*.........................................=.........i..........0........~............................[......./.........,........Y.................~..............................................!.......w....................t....................F.......`........................................c.......................j................................................................................................".......................................<..............{..?.J............v........................................................................................................+..................+..................

C:\Users\user\polaritets\roere.hid

Download File

Process:	C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	15722
Entropy (8bit):	1.1774803541140593
Encrypted:	false
SSDEEP:	96:QlmaSsDp47EcNFpMw8GM4Zq+AUUnPMN61WN1:QbSc47/lv8n4Zq+AUQmy4
MD5:	A8FD81B22FDC76D0AAE4ABF40CC1E8F4
SHA1:	ECA25609E68636E12C3AB63D7E9F1B7717CE450A
SHA-256:	13148F74A847C0F474385F1E62C01A5065700A472BF689D7299D3F420A7CC45D
SHA-512:	7E0CE6444E0F402278704066AE74F442684B80959CB90CFABA6A3BBCA1EB754EEBCDE11A61FE17D8DE1F708F035BDC2C7825BF9E8F92D761CE0E78BA68544C6B
Malicious:	false
Preview:	.............L..........................M...................................................................{.........................H.....................................................................................................................................................................................................................................9......8.....'...............}..........................F......................A......aO..........k.....................................................................................P..................................j.......'..:..................................n..............................................~......t.....2...............................................................................{u................................'.................................#.......................................................................t.......j...............r.................................................................

C:\Users\user\polaritets\socialmedicin.sej

Download File

Process:	C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	38361
Entropy (8bit):	1.2166387306020765
Encrypted:	false
SSDEEP:	384:X+F+sq/qAweG+1AI4KbEElQxRqKJOPOXALDW3uYBspm5NfXDZ9:X6M/l17oEnYjP
MD5:	2BF0CAC964058C5B0D73930FC7412775
SHA1:	003BEC59CB10BDD8B5B760C14DB899637E85AFBE
SHA-256:	5A823D12E477927D5133F5B4DE1A5BCB0973FDBBDC4C966C821928CB439FC97A
SHA-512:	303CF2DE6CFC652A10E543E0F6484097042234C786624F1B67668CA254B03DE2CCF4D7EB0FB6E13172F605B1B4B742D8694CF3549952523753C5DDE741975564
Malicious:	false
Preview:	......4......;................g....................................V..................s................................................t........................]...L.........................j...........`.....L..................?........o.............................Oq........................................................................F..............................................................V..................................................C.........../.......{................................................................?...............g.............R....4................................w(........................................c..p.................a....................mt...&..............................X........................Z.......................D.................<.......................h..........b..........X........................................................................m...................0...............F............................w.............r.......

C:\Users\user\polaritets\toader.txt

Download File

Process:	C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	434
Entropy (8bit):	4.305884836882498
Encrypted:	false
SSDEEP:	12:mBX7vwwJDXCuNQLIU/0vkxuYAz8/p7QTrYSCmDEIHlwq+:mBXUWEzR7ylCeEUw
MD5:	3F6632F26EBA2C111F54C97312D4C4EA
SHA1:	8D3FB7505058C8C5CB22133C77213D6B37CDD5F9
SHA-256:	CE8824C6205F36A17C4476BF02839F065009CD15E88970E653CE5F6A89BD9954
SHA-512:	EED0879B222E9F074C109B2FA8548F441AD1A4C1CEF8EDB3BAE6D05308E2916061F2A2835E9252A2EDE27608435E40E8C52849B9DD8D38A5FBBEC995628D28E7
Malicious:	false
Preview:	kumquat equilibrious invector occludes vesteuroperen knippelfines,laparosplenotomy subagents skatkisternes sovehjertet angiospermous abastard caprate efterbyrdens exercised organisationsliniens puberties..ansvarhavendes unhumidified fordjelsesproces forureningsomraades,nondivisive famle illicitly lithophone lattins cubit rougens svmmebrillerne..untestamental transect subfestively subserviently hyldevarer.maaske pastoral overlooks,

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.957749119185549
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
File size:	567'532 bytes
MD5:	8681ab3286a883dbfaad479b99aef9d1
SHA1:	c3df94522f79f288c5178083bb3085bb61f6ce01
SHA256:	3c74c62451d876da8642fc1b4f1e689b7b6d03aa74dd9baa0aefde62cd3c13b5
SHA512:	9430594953d979cab8fc58dd493c8bc248cf70051093ac4c415addcf7c2c1c1c39a4c695aa89a6dcf42cb8596302d4d8be5ebe79e317a0b910de3fee5b49e2fb
SSDEEP:	12288:qX6kgpq5+/10ikjy6jEgMNtTJXPjQewu5xWUPJbbiEUW34/:qX68W1P6jEgMDFjmUBqEUW
TLSH:	F2C42351F630DA6BD54A3538273B937A05EE3C715150B74A2B64BFBFBC162C0990EAC2
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........1 ..PN..PN..PN._...PN..PO.JPN._...PN..s~..PN..VH..PN.Rich.PN.........................PE..L...c..d.................f...".....

File Icon


Icon Hash:	9193c9a1858b8db5

Static PE Info

General

Entrypoint:	0x4034fc
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x64A0DC63 [Sun Jul 2 02:09:39 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f4639a0b3116c2cfc71144b88a929cfd

Entrypoint Preview

Instruction
sub esp, 000003F8h
push ebp
push esi
push edi
push 00000020h
pop edi
xor ebp, ebp
push 00008001h
mov dword ptr [esp+20h], ebp
mov dword ptr [esp+18h], 0040A2D8h
mov dword ptr [esp+14h], ebp
call dword ptr [004080A4h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+34h]
push eax
mov dword ptr [esp+4Ch], ebp
mov dword ptr [esp+0000014Ch], ebp
mov dword ptr [esp+00000150h], ebp
mov dword ptr [esp+38h], 0000011Ch
call esi
test eax, eax
jne 00007FBE208180DAh
lea eax, dword ptr [esp+34h]
mov dword ptr [esp+34h], 00000114h
push eax
call esi
mov ax, word ptr [esp+48h]
mov ecx, dword ptr [esp+62h]
sub ax, 00000053h
add ecx, FFFFFFD0h
neg ax
sbb eax, eax
mov byte ptr [esp+0000014Eh], 00000004h
not eax
and eax, ecx
mov word ptr [esp+00000148h], ax
cmp dword ptr [esp+38h], 0Ah
jnc 00007FBE208180A8h
and word ptr [esp+42h], 0000h
mov eax, dword ptr [esp+40h]
movzx ecx, byte ptr [esp+3Ch]
mov dword ptr [00429AD8h], eax
xor eax, eax
mov ah, byte ptr [esp+38h]
movzx eax, ax
or eax, ecx
xor ecx, ecx
mov ch, byte ptr [esp+00000148h]
movzx ecx, cx
shl eax, 10h
or eax, ecx
movzx ecx, byte ptr [esp+0000004Eh]

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4c000	0x3440	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2a8	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6556	0x6600	dd25e171f2e0fe45f2800cc9e162537d	False	0.6652113970588235	data	6.456753840355455	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1358	0x1400	f0b500ff912dda10f31f36da3efc8a1e	False	0.44296875	data	5.102094016108248	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1fb38	0x600	2bc02714ee74ba781d92e94eeaccb080	False	0.501953125	data	4.040639308682379	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x22000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4c000	0x3440	0x3600	5950a4e36f0f510396fb34e6e03b573a	False	0.5579427083333334	data	5.567094918094419	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4c2f8	0xea8	Device independent bitmap graphic, 48 x 96 x 8, image size 2688	English	United States	0.7190831556503199
RT_ICON	0x4d1a0	0x8a8	Device independent bitmap graphic, 32 x 64 x 8, image size 1152	English	United States	0.7035198555956679
RT_ICON	0x4da48	0x668	Device independent bitmap graphic, 48 x 96 x 4, image size 1536	English	United States	0.33963414634146344
RT_ICON	0x4e0b0	0x568	Device independent bitmap graphic, 16 x 32 x 8, image size 320	English	United States	0.6423410404624278
RT_ICON	0x4e618	0x2e8	Device independent bitmap graphic, 32 x 64 x 4, image size 640	English	United States	0.39381720430107525
RT_ICON	0x4e900	0x128	Device independent bitmap graphic, 16 x 32 x 4, image size 192	English	United States	0.5101351351351351
RT_DIALOG	0x4ea28	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4eb28	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x4ec48	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x4ed10	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x4ed70	0x5a	data	English	United States	0.7111111111111111
RT_VERSION	0x4edd0	0x248	data	English	United States	0.4811643835616438
RT_MANIFEST	0x4f018	0x423	XML 1.0 document, ASCII text, with very long lines (1059), with no line terminators	English	United States	0.5127478753541076

Imports

DLL	Import
ADVAPI32.dll	RegEnumValueW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, RegOpenKeyExW, RegCreateKeyExW
SHELL32.dll	SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW, ShellExecuteExW
ole32.dll	CoCreateInstance, OleUninitialize, OleInitialize, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, CreatePopupMenu, AppendMenuW, TrackPopupMenu, OpenClipboard, EmptyClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetSysColor, SetWindowPos, GetWindowLongW, IsWindowEnabled, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CharPrevW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndPaint, CharNextA, wsprintfA, DispatchMessageW, CreateWindowExW, PeekMessageW, GetSystemMetrics
GDI32.dll	GetDeviceCaps, SetBkColor, SelectObject, DeleteObject, CreateBrushIndirect, CreateFontIndirectW, SetBkMode, SetTextColor
KERNEL32.dll	lstrcmpiA, CreateFileW, GetTempFileNameW, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersionExW, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, WriteFile, CopyFileW, ExitProcess, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, Sleep, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW, MulDiv, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, SetEnvironmentVariableW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Target ID:	0
Start time:	08:59:17
Start date:	25/09/2024
Path:	C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"
Imagebase:	0x400000
File size:	567'532 bytes
MD5 hash:	8681AB3286A883DBFAAD479B99AEF9D1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3731251224.0000000004A2C000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	19.6%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	16.3%
Total number of Nodes:	1603
Total number of Limit Nodes:	40

Executed Functions

Function 004034FC Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 0040351F
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?), ref: 0040354A
GetVersionExW.KERNEL32(?,?,?,?,?,?,?,?,?), ref: 0040355D
lstrlenA.KERNEL32(UXTHEME,UXTHEME,?,?,?,?,?,?,?,?), ref: 004035F6
#17.COMCTL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403633
OleInitialize.OLE32(00000000), ref: 0040363A
SHGetFileInfoW.SHELL32(00420EC8,00000000,?,000002B4,00000000), ref: 00403659
GetCommandLineW.KERNEL32(00428A20,NSIS Error,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040366E
CharNextW.USER32(00000000,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",00000020,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",00000000,?,00000008,0000000A,0000000C), ref: 004036A7
GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\,00000000,00008001,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037DF
GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037F0
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 004037FC
GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403810
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403818
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403829
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403831
DeleteFileW.KERNELBASE(1033,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403845
lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",00000000,?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 0040391E

Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E

wsprintfW.USER32 ref: 0040397B
GetFileAttributesW.KERNEL32(880,C:\Users\user~1\AppData\Local\Temp\), ref: 004039AE
DeleteFileW.KERNEL32(880), ref: 004039BA
SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 004039E8

Part of subcall function 004062E1: MoveFileExW.KERNEL32(?,?,00000005,00405DDF,?,00000000,000000F1,?,?,?,?,?), ref: 004062EB

CopyFileW.KERNEL32(C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,880,00000001,C:\Users\user~1\AppData\Local\Temp\,00000000), ref: 004039FE

Part of subcall function 00405B04: CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,00425F10,?,?,?,880,?), ref: 00405B2D
Part of subcall function 00405B04: CloseHandle.KERNEL32(?,?,?,880,?), ref: 00405B3A

Part of subcall function 0040687E: FindFirstFileW.KERNELBASE(771B3420,00425F58,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,00405F41,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C4D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00406889
Part of subcall function 0040687E: FindClose.KERNEL32(00000000), ref: 00406895

OleUninitialize.OLE32(?,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A4C
ExitProcess.KERNEL32 ref: 00403A69
CloseHandle.KERNEL32(00000000,0042D000,0042D000,?,880,00000000), ref: 00403A70
GetCurrentProcess.KERNEL32(00000028,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00403A8C
OpenProcessToken.ADVAPI32(00000000,?,?,?,?,?,?,?,?), ref: 00403A93
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403AA8
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000,?,?,?,?,?,?,?,?), ref: 00403ACB
ExitWindowsEx.USER32(00000002,80040002), ref: 00403AF0
ExitProcess.KERNEL32 ref: 00403B13

Part of subcall function 00405ACF: CreateDirectoryW.KERNELBASE(?,00000000,004034EF,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405AD5

Strings

Error launching installer, xrefs: 004038C7
Low, xrefs: 00403812
C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, xrefs: 004039F9
"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe", xrefs: 00403674, 0040367A, 0040368F, 0040386D
880, xrefs: 0040395E, 0040398F, 004039AD, 004039B9, 004039F8, 00403A0A, 00403A37
TMP, xrefs: 0040382C
~nsu%X.tmp, xrefs: 00403972
C:\Users\user~1\AppData\Local\Temp\, xrefs: 004037D4, 004037D9, 004037EF, 004037FB, 0040380A, 00403817, 00403823, 0040382B, 00403919, 0040399A, 004039C6, 004039E7, 004039F0
SeShutdownPrivilege, xrefs: 00403AA2
1033, xrefs: 00403840
C:\Users\user\Desktop, xrefs: 0040393C
C:\Users\user\polaritets, xrefs: 004037C4, 004038E6, 00403933, 00403941
TEMP, xrefs: 00403824
C:\Users\user\polaritets, xrefs: 004038F1
\Temp, xrefs: 004037F6
UXTHEME, xrefs: 004035EA, 004035EF, 004035F5
NSIS Error, xrefs: 0040365F

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: File$Process$CloseDirectoryExit$CreateCurrentDeleteEnvironmentFindHandlePathTempTokenVariableVersionWindowslstrcatlstrlen$AdjustAttributesCharCommandCopyErrorFirstInfoInitializeLineLookupModeMoveNextOpenPrivilegePrivilegesUninitializeValuelstrcpynwsprintf
String ID: "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"$1033$880$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe$C:\Users\user\polaritets$C:\Users\user\polaritets$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu%X.tmp
API String ID: 1813718867-708000906
Opcode ID: 861c3a791dac713e5dc6c418a8dec487fa289242a5d5f99aa186722fda572ff2
Instruction ID: bee44f309595f2ff458e9cecae568de25c9667724a66d0f49069eb89ae1a0629
Opcode Fuzzy Hash: 861c3a791dac713e5dc6c418a8dec487fa289242a5d5f99aa186722fda572ff2
Instruction Fuzzy Hash: FDF10170204301ABD720AF659D05B2B3EE8EB8570AF11483EF581B62D1DB7DCA45CB6E

Function 004056E5 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00405743
GetDlgItem.USER32(?,000003EE), ref: 00405752
GetClientRect.USER32(?,?), ref: 0040578F
GetSystemMetrics.USER32(00000002), ref: 00405796
SendMessageW.USER32(?,00001061,00000000,?), ref: 004057B7
SendMessageW.USER32(?,00001036,00004000,00004000), ref: 004057C8
SendMessageW.USER32(?,00001001,00000000,00000110), ref: 004057DB
SendMessageW.USER32(?,00001026,00000000,00000110), ref: 004057E9
SendMessageW.USER32(?,00001024,00000000,?), ref: 004057FC
ShowWindow.USER32(00000000,?,0000001B,000000FF), ref: 0040581E
ShowWindow.USER32(?,00000008), ref: 00405832
GetDlgItem.USER32(?,000003EC), ref: 00405853
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00405863
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 0040587C
SendMessageW.USER32(00000000,00002001,00000000,00000110), ref: 00405888
GetDlgItem.USER32(?,000003F8), ref: 00405761

Part of subcall function 004044D5: SendMessageW.USER32(00000028,?,00000001,00404300), ref: 004044E3

GetDlgItem.USER32(?,000003EC), ref: 004058A5
CreateThread.KERNELBASE(00000000,00000000,Function_00005679,00000000), ref: 004058B3
CloseHandle.KERNELBASE(00000000), ref: 004058BA
ShowWindow.USER32(00000000), ref: 004058DE
ShowWindow.USER32(?,00000008), ref: 004058E3
ShowWindow.USER32(00000008), ref: 0040592D
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405961
CreatePopupMenu.USER32 ref: 00405972
AppendMenuW.USER32(00000000,00000000,00000001,00000000), ref: 00405986
GetWindowRect.USER32(?,?), ref: 004059A6
TrackPopupMenu.USER32(00000000,00000180,?,?,00000000,?,00000000), ref: 004059BF
SendMessageW.USER32(?,00001073,00000000,?), ref: 004059F7
OpenClipboard.USER32(00000000), ref: 00405A07
EmptyClipboard.USER32 ref: 00405A0D
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00405A19
GlobalLock.KERNEL32(00000000), ref: 00405A23
SendMessageW.USER32(?,00001073,00000000,?), ref: 00405A37
GlobalUnlock.KERNEL32(00000000), ref: 00405A57
SetClipboardData.USER32(0000000D,00000000), ref: 00405A62
CloseClipboard.USER32 ref: 00405A68

Strings

{, xrefs: 0040594B

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlock
String ID: {
API String ID: 590372296-366298937
Opcode ID: bcd6524ca319c6da9779c5e50c73cceb5f6d9afdf0ecbcca2ead9855fe138ddf
Instruction ID: bfdbfabbc3eccdd340dcac883e36f8678c6b127a6a9b52dc92d7db9eae4071ee
Opcode Fuzzy Hash: bcd6524ca319c6da9779c5e50c73cceb5f6d9afdf0ecbcca2ead9855fe138ddf
Instruction Fuzzy Hash: FBB127B1900618FFDB11AF60DD89AAE7B79FB44354F00813AFA41B61A0CB754A92DF58

Function 701C1BFF Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 701C12BB: GlobalAlloc.KERNELBASE(00000040,?,701C12DB,?,701C137F,00000019,701C11CA,-000000A0), ref: 701C12C5

GlobalAlloc.KERNELBASE(00000040,00001CA4), ref: 701C1D2D
lstrcpyW.KERNEL32(00000008,?), ref: 701C1D75
lstrcpyW.KERNEL32(00000808,?), ref: 701C1D7F
GlobalFree.KERNEL32(00000000), ref: 701C1D92
GlobalFree.KERNEL32(?), ref: 701C1E74
GlobalFree.KERNEL32(?), ref: 701C1E79
GlobalFree.KERNEL32(?), ref: 701C1E7E
GlobalFree.KERNEL32(00000000), ref: 701C2068
lstrcpyW.KERNEL32(?,?), ref: 701C2222
GetModuleHandleW.KERNEL32(00000008), ref: 701C22A1
LoadLibraryW.KERNEL32(00000008), ref: 701C22B2
GetProcAddress.KERNEL32(?,?), ref: 701C230C
lstrlenW.KERNEL32(00000808), ref: 701C2326

Memory Dump Source

Source File: 00000000.00000002.3732328148.00000000701C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701C0000, based on PE: true

Associated: 00000000.00000002.3732308554.00000000701C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732344875.00000000701C4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732362879.00000000701C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_701c0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 6b06437f4f00289f4ccf1955d4146c906debd8f361eacf9c0cc0fa4c53919856
Instruction ID: 501d5b1d09cc96950cd5aac496ff9b6f943dfc90c8b2ba4cb92d76038b5b69a7
Opcode Fuzzy Hash: 6b06437f4f00289f4ccf1955d4146c906debd8f361eacf9c0cc0fa4c53919856
Instruction Fuzzy Hash: 8722AB71D80206DFCB128FA4C8843EFBBB5FB2A315F22456EE566E2680D774D981DB50

Function 00405C2D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405C56
lstrcatW.KERNEL32(00424F10,\*.*,00424F10,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405C9E
lstrcatW.KERNEL32(?,0040A014,?,00424F10,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405CC1
lstrlenW.KERNEL32(?,?,0040A014,?,00424F10,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405CC7
FindFirstFileW.KERNEL32(00424F10,?,?,?,0040A014,?,00424F10,?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405CD7
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?,?,0000002E), ref: 00405D77
FindClose.KERNEL32(00000000), ref: 00405D86

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405C3A
"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe", xrefs: 00405C36
\*.*, xrefs: 00405C98

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"$C:\Users\user~1\AppData\Local\Temp\$\*.*
API String ID: 2035342205-2067410175
Opcode ID: 9251ba415d381c0528a68256adb7b13e134a55f337ff098e8b7b00a93e79b23f
Instruction ID: aec485693c4c1533f42b9347a66a6bbcb57ea8568fe9c979ecac7928daa7b7f5
Opcode Fuzzy Hash: 9251ba415d381c0528a68256adb7b13e134a55f337ff098e8b7b00a93e79b23f
Instruction Fuzzy Hash: 8741D230801A14BADB31BB659D4DAAF7678EF41718F14813FF801B11D5D77C8A829EAE

Function 0040687E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(771B3420,00425F58,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,00405F41,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C4D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00406889
FindClose.KERNEL32(00000000), ref: 00406895

Strings

X_B, xrefs: 0040687F
C:\Users\user~1\AppData\Local\Temp\nss458C.tmp, xrefs: 0040687E

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp$X_B
API String ID: 2295610775-2462452876
Opcode ID: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
Instruction ID: 6d56574ea64d1328abe48e6f64e5cab5a12c2004fb3b9259b4ed260009733db8
Opcode Fuzzy Hash: 368a1c0a689282c2aa5195ddf357efb180b92b440bed087baa82a07527058284
Instruction Fuzzy Hash: AFD0123250A5205BC6406B386E0C84B7A58AF553717268A36F5AAF21E0CB788C6696AC

Function 00406C3F Relevance: 5.4, APIs: 4, Instructions: 382COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8964584eaf82ae0cb152a3b9d71f3809ce5605a589357672a1976e67bd0135b4
Instruction ID: 98dfc50ccd9688b87079ede1b44bfc78bfb7a95d74622a08e623e0ee65e5f8c5
Opcode Fuzzy Hash: 8964584eaf82ae0cb152a3b9d71f3809ce5605a589357672a1976e67bd0135b4
Instruction Fuzzy Hash: B2F17870D04229CBDF28CFA8C8946ADBBB0FF44305F25816ED456BB281D7786A86CF45

Function 00403FA1 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403FDD
ShowWindow.USER32(?), ref: 00403FFD
GetWindowLongW.USER32(?,000000F0), ref: 0040400F
ShowWindow.USER32(?,00000004), ref: 00404028
DestroyWindow.USER32 ref: 0040403C
SetWindowLongW.USER32(?,00000000,00000000), ref: 00404055
GetDlgItem.USER32(?,?), ref: 00404074
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00404088
IsWindowEnabled.USER32(00000000), ref: 0040408F
GetDlgItem.USER32(?,00000001), ref: 0040413A
GetDlgItem.USER32(?,00000002), ref: 00404144
SetClassLongW.USER32(?,000000F2,?), ref: 0040415E
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004041AF
GetDlgItem.USER32(?,00000003), ref: 00404255
ShowWindow.USER32(00000000,?), ref: 00404276
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00404288
EnableWindow.USER32(?,?), ref: 004042A3
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004042B9
EnableMenuItem.USER32(00000000), ref: 004042C0
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 004042D8
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 004042EB
lstrlenW.KERNEL32(00422F08,?,00422F08,00000000), ref: 00404315
SetWindowTextW.USER32(?,00422F08), ref: 00404329
ShowWindow.USER32(?,0000000A), ref: 0040445D

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Window$Item$MessageSendShow$Long$EnableMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 121052019-0
Opcode ID: f0b43cd8e7f2e41f431c118fff2888e9d111a3339ebed408ace792690fb64996
Instruction ID: 6cd4652e30ec862c23bd12a6162173760bab2c1fa5186c41ecc3a298f9dddab8
Opcode Fuzzy Hash: f0b43cd8e7f2e41f431c118fff2888e9d111a3339ebed408ace792690fb64996
Instruction Fuzzy Hash: 7FC1C0B1600204ABDB216F21EE49E2B3A69FB94709F41053EF751B51F0CB795882DB2E

Function 00403BF3 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00406915: GetModuleHandleA.KERNEL32(?,00000020,?,0040360C,0000000C,?,?,?,?,?,?,?,?), ref: 00406927
Part of subcall function 00406915: GetProcAddress.KERNEL32(00000000,?), ref: 00406942

lstrcatW.KERNEL32(1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",00008001), ref: 00403C74
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\polaritets,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000,00000002,771B3420), ref: 00403CF4
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\polaritets,1033,00422F08,80000001,Control Panel\Desktop\ResourceLocale,00000000,00422F08,00000000), ref: 00403D07
GetFileAttributesW.KERNEL32(Call), ref: 00403D12
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\polaritets), ref: 00403D5B

Part of subcall function 00406468: wsprintfW.USER32 ref: 00406475

RegisterClassW.USER32(004289C0), ref: 00403D98
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403DB0
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403DE5
ShowWindow.USER32(00000005,00000000), ref: 00403E1B
GetClassInfoW.USER32(00000000,RichEdit20W,004289C0), ref: 00403E47
GetClassInfoW.USER32(00000000,RichEdit,004289C0), ref: 00403E54
RegisterClassW.USER32(004289C0), ref: 00403E5D
DialogBoxParamW.USER32(?,00000000,00403FA1,00000000), ref: 00403E7C

Strings

.exe, xrefs: 00403D01
RichEd32, xrefs: 00403E2F
.DEFAULT\Control Panel\International, xrefs: 00403C5F
RichEd20, xrefs: 00403E21
"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe", xrefs: 00403BF6
RichEdit20W, xrefs: 00403E3F, 00403E45
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403BF8
RichEdit, xrefs: 00403E4E
Control Panel\Desktop\ResourceLocale, xrefs: 00403C27
1033, xrefs: 00403C13, 00403C6F
Call, xrefs: 00403CBB, 00403CC4, 00403CD2, 00403D21, 00403D27
C:\Users\user\polaritets, xrefs: 00403C83, 00403C8B, 00403D2E, 00403D34, 00403D44
_Nb, xrefs: 00403D77, 00403DDF

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\polaritets$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-4035508068
Opcode ID: 0ef04955f1a6976a10593322067df9edaff6e7f7a832361b73f8beed2d85b6c9
Instruction ID: 6a74b9b34ded998ebd2751605f77428bf44f11e359ee0ac59d58ca77ea789e65
Opcode Fuzzy Hash: 0ef04955f1a6976a10593322067df9edaff6e7f7a832361b73f8beed2d85b6c9
Instruction Fuzzy Hash: 2C61B770200740BAD620AF669D46F2B3A7CEB84B45F81453FF941B61E2CB7D5942CB6D

Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403093
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,00000400), ref: 004030AF

Part of subcall function 00406011: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,80000000,00000003), ref: 00406015
Part of subcall function 00406011: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406037

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,80000000,00000003), ref: 004030FB
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403231

Strings

Error launching installer, xrefs: 004030D2
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403089
C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe, xrefs: 00403099, 004030A8, 004030BC, 004030DC
Null, xrefs: 00403179
soft, xrefs: 00403170
C:\Users\user\Desktop, xrefs: 004030DD, 004030E2, 004030E8
"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe", xrefs: 00403088
Inst, xrefs: 00403167
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403258

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-920863323
Opcode ID: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
Instruction ID: 0271efb430f2efbe2fca7880162b12dddab7439e54d706f300c55aed9b32fb97
Opcode Fuzzy Hash: f6f149303cde104692999693530b98443d3dd0b2c967e283c98aa5a581eac7be
Instruction Fuzzy Hash: 7B51C071A01304ABDB209F65DD85B9E7FACAB09316F10407BF904B62D1D7789E818B5D

Function 0040655E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 00406680
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,?,?,00000000,00000000,00418EC0,00000000), ref: 00406696
SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 004066F4
CoTaskMemFree.OLE32(00000000,?,00000000,00000007), ref: 004066FD
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,00000000,Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,?,?,00000000,00000000,00418EC0,00000000), ref: 00406728
lstrlenW.KERNEL32(Call,00000000,Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,?,?,00000000,00000000,00418EC0,00000000), ref: 00406782

Strings

Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll, xrefs: 00406582
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406722
Call, xrefs: 0040658B, 00406645, 0040664C, 00406650, 00406669, 0040666A, 0040667F, 00406695, 004066C6, 004066F2, 00406727, 0040672D, 0040674A, 0040675D, 0040677B, 00406781, 0040678A, 004067BF
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406651

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrlen
String ID: Call$Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 4024019347-317080508
Opcode ID: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
Instruction ID: c1bee3e663878f3afad94de22ef935420ccf361ce06c76a1d76179cfc985cdfa
Opcode Fuzzy Hash: 14c9f03641932d7153c154bb414b77852189b75d1473d82c894b9adbe9647435
Instruction Fuzzy Hash: 266146B1A043019BDB205F28DD80B6B77E4AF84318F65053FF646B32D1DA7D89A18B5E

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\polaritets,?,?,00000031), ref: 004017B5
CompareFileTime.KERNEL32(-00000014,?,Call,Call,00000000,00000000,Call,C:\Users\user\polaritets,?,?,00000031), ref: 004017DA

Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E

Part of subcall function 004055A6: lstrlenW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
Part of subcall function 004055A6: lstrlenW.KERNEL32(004033F2,Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
Part of subcall function 004055A6: lstrcatW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,004033F2,004033F2,Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,00000000,00418EC0,00000000), ref: 00405601
Part of subcall function 004055A6: SetWindowTextW.USER32(Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll), ref: 00405613
Part of subcall function 004055A6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
Part of subcall function 004055A6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
Part of subcall function 004055A6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661

Strings

C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll, xrefs: 0040183A, 00401856
C:\Users\user\polaritets, xrefs: 004017A3
C:\Users\user~1\AppData\Local\Temp\nss458C.tmp, xrefs: 00401826, 00401844
Call, xrefs: 00401792, 0040179B, 004017BA, 004017C6, 004017FC, 00401812, 00401830, 0040186C, 004018ED, 004018F6, 00401900, 0040190B

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$CompareFileTextTimeWindowlstrcpyn
String ID: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp$C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll$C:\Users\user\polaritets$Call
API String ID: 1941528284-2872914338
Opcode ID: 8735ad9560c18e5a7f29f6a8244760e17f86ea249fb7e5f19f194b0f67ebe764
Instruction ID: 1777f765e23ed303a4c4324df0f40fc052c607b9e3f25272d24a03cacca2a4dc
Opcode Fuzzy Hash: 8735ad9560c18e5a7f29f6a8244760e17f86ea249fb7e5f19f194b0f67ebe764
Instruction Fuzzy Hash: 9E41A531900509BACF117BA9DD86DAF3AB5EF45328B20423FF512B10E1DB3C8A52966D

Function 004055A6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
lstrlenW.KERNEL32(004033F2,Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
lstrcatW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,004033F2,004033F2,Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,00000000,00418EC0,00000000), ref: 00405601
SetWindowTextW.USER32(Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll), ref: 00405613
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661

Strings

Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll, xrefs: 004055C7, 004055D7, 004055DD, 00405600, 0040560C

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID: Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll
API String ID: 2531174081-1359906674
Opcode ID: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
Instruction ID: deb6953f75989b306d4e6df0e2073f5bc52164b7b2c012b705af3b177d86a23e
Opcode Fuzzy Hash: a9fafcf7327b9621bb894f8e2d9ac48d1397335c234e36f420f2517ccdad5277
Instruction Fuzzy Hash: 8F21B375900158BACB119FA5DD84ECFBF75EF45364F50803AF944B22A0C77A4A51CF68

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(?,?,?,?), ref: 0040275D
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 00402798
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 004027BB
MultiByteToWideChar.KERNEL32(?,00000008,?,00000000,?,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 004027D1

Part of subcall function 004060F2: SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 00406108

SetFilePointer.KERNEL32(?,?,?,00000001,?,?,00000002), ref: 0040287D

Strings

9, xrefs: 00402740

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: File$Pointer$ByteCharMultiWide$Read
String ID: 9
API String ID: 163830602-2366072709
Opcode ID: 0fe20a848d4a285c173513a47146d0bdd1f0b43cc80ef0beb9e6d9777ffbd6ad
Instruction ID: 4938fc2aff7960a3a7fedf371d3c64c497049ea43b58312dd80c80f6ae9549af
Opcode Fuzzy Hash: 0fe20a848d4a285c173513a47146d0bdd1f0b43cc80ef0beb9e6d9777ffbd6ad
Instruction Fuzzy Hash: 5051FB75D0421AABDF249FD4CA84AAEBB79FF04344F10817BE901B62D0D7B49D828B58

Function 004032B9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040331A
GetTickCount.KERNEL32 ref: 0040339B
MulDiv.KERNEL32(7FFFFFFF,00000064,?), ref: 004033C8
wsprintfW.USER32 ref: 004033DB

Strings

... %d%%, xrefs: 004033D5

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: bb69fc25e18161a0849df33240b9b7daf63c30e93ac5b68caaa3da3af3354023
Instruction ID: 25ee467b37f7358b1d8943912f63d539eb3ef7c07a249f5ee2dc3eaa61b9464a
Opcode Fuzzy Hash: bb69fc25e18161a0849df33240b9b7daf63c30e93ac5b68caaa3da3af3354023
Instruction Fuzzy Hash: 5B518E31900219EBCB11DF65DA44BAF3FA8AB40726F14417BF804BB2C1D7789E408BA9

Function 004068A5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068BC
wsprintfW.USER32 ref: 004068F7
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040690B

Strings

%s%S.dll, xrefs: 004068F1
UXTHEME, xrefs: 004068AE

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME
API String ID: 2200240437-1106614640
Opcode ID: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction ID: d40490b37a95929041f6b14fe17981fa15644a851550e805e000283098582d10
Opcode Fuzzy Hash: 7a73cbb44207cafadb11ab8eaaa41fd963bfa172cfc882b2dd9c54e233860d96
Instruction Fuzzy Hash: 41F0FC31511119AACF10BB64DD0DF9B375C9B00305F10847AE546F10D0EB789A68CBA8

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000,?,?,00100020,?,?,?), ref: 00402F02
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 00402F4E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F57
RegDeleteKeyW.ADVAPI32(?,?), ref: 00402F6E
RegCloseKey.ADVAPI32(?,?,?), ref: 00402F79

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction ID: 48bf034c557530f45265713f896c64b121a5f1f2f5b25ab6521791cb913d5ed3
Opcode Fuzzy Hash: 2404979ab5d72bd1f47e4c5d2100d154d2dcf156ce7fec90999c2a50aae3b712
Instruction Fuzzy Hash: 74215A7150010ABFDF119F90CE89EEF7B7DEB54388F110076B949B11A0D7B49E54AA68

Function 701C1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 701C1BFF: GlobalFree.KERNEL32(?), ref: 701C1E74
Part of subcall function 701C1BFF: GlobalFree.KERNEL32(?), ref: 701C1E79
Part of subcall function 701C1BFF: GlobalFree.KERNEL32(?), ref: 701C1E7E

GlobalFree.KERNEL32(00000000), ref: 701C18C5
FreeLibrary.KERNEL32(?), ref: 701C194B
GlobalFree.KERNEL32(00000000), ref: 701C1970

Part of subcall function 701C243E: GlobalAlloc.KERNEL32(00000040,?), ref: 701C246F

Part of subcall function 701C2810: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,701C1896,00000000), ref: 701C28E0

Part of subcall function 701C1666: wsprintfW.USER32 ref: 701C1694

Strings

, xrefs: 701C1951

Memory Dump Source

Source File: 00000000.00000002.3732328148.00000000701C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701C0000, based on PE: true

Associated: 00000000.00000002.3732308554.00000000701C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732344875.00000000701C4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732362879.00000000701C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_701c0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: d2fdaaa097a89456b258ecd654d15cac7d99effd94222eebf06a0c5dccc2c90f
Instruction ID: e408b59234219bc7005faec62bc5615a01f8cc6792b1afb75f40dab5afa601d4
Opcode Fuzzy Hash: d2fdaaa097a89456b258ecd654d15cac7d99effd94222eebf06a0c5dccc2c90f
Instruction Fuzzy Hash: 6241CF728442419FCB009F60DC85B9F3BBCAF36314F154469FE069A68ADBB4D885C760

Function 00406040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 0040605E
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,00000000,004034FA,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6), ref: 00406079

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406045
nsa, xrefs: 0040604D

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user~1\AppData\Local\Temp\$nsa
API String ID: 1716503409-3083371207
Opcode ID: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction ID: 4304e6ca34acc2e603ac9508cdf3fa98200610ac432ccd05af3fd9fdb7d66135
Opcode Fuzzy Hash: 017de5c5da22b1c6cf72d7a8a287ef2c48f88e3ac937424cf3c6df762bd8e462
Instruction Fuzzy Hash: 58F09676B40204FBDB10CF55ED05F9EB7ACEB95750F11403AEE05F7140E6B099548768

Function 004015C6 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 00405E9B: CharNextW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,?,00405F0F,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C4D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405EA9
Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EAE
Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EC6

GetFileAttributesW.KERNELBASE(?,?,00000000,0000005C,00000000,000000F0), ref: 0040161F

Part of subcall function 00405A75: CreateDirectoryW.KERNELBASE(?,?), ref: 00405AB7

SetCurrentDirectoryW.KERNELBASE(?,C:\Users\user\polaritets,?,00000000,000000F0), ref: 00401652

Strings

C:\Users\user\polaritets, xrefs: 00401645

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CharNext$Directory$AttributesCreateCurrentFile
String ID: C:\Users\user\polaritets
API String ID: 1892508949-2790145093
Opcode ID: 4b68a463cc784b1945903bcff3764fd9da93cf801788bc1ee3673f5490bf8ecc
Instruction ID: ceaefb5432ba9a2b041ab88b04bec91c1a8495824eafa6d8534a6d53eb807851
Opcode Fuzzy Hash: 4b68a463cc784b1945903bcff3764fd9da93cf801788bc1ee3673f5490bf8ecc
Instruction Fuzzy Hash: 2D11D031504604ABCF206FA5CD4099F36B0EF04368B29493FE941B22E1DA3E4E819E8E

Function 004063EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.KERNELBASE(?,00000000,00000000,?,?,00000800,00000000,?,?,?,?,Call,?,00000000,00406660,80000002), ref: 00406435
RegCloseKey.KERNELBASE(?), ref: 00406440

Strings

Call, xrefs: 004063F6

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 441e6d046e2572fd66e4c77006f0a98464fe89a944563537cf106c849ea921cc
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 4F017172500209ABDF218F51CD05EDB3BA9EB54354F01403AFD1992191D738D968DF94

Function 00407074 Relevance: 5.2, APIs: 4, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aff26f2f30a057b7958a1e63094fc459aa306f2dc33e22a09454c964c074026f
Instruction ID: 2d246cc9a99bab59b70d05231fecbcf7b107c6ac3beee636f2a296df3f85dc82
Opcode Fuzzy Hash: aff26f2f30a057b7958a1e63094fc459aa306f2dc33e22a09454c964c074026f
Instruction Fuzzy Hash: 7DA14571E04228DBDF28CFA8C8546ADBBB1FF44305F10816AD856BB281D7786986DF45

Function 00407275 Relevance: 5.2, APIs: 4, Instructions: 208COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3ac8a4bfdb441625c816955e49305bbe8ba575533dfee591c2cbe8a61bd4ebd3
Instruction ID: 7b0bebd33542e08950ef610181a47380a5391ae5859bceecccad38cd1577eaed
Opcode Fuzzy Hash: 3ac8a4bfdb441625c816955e49305bbe8ba575533dfee591c2cbe8a61bd4ebd3
Instruction Fuzzy Hash: 90911370E04228CBDF28CF98C854BADBBB1FF44305F14816AD856BB291D778A986DF45

Function 00406F8B Relevance: 5.2, APIs: 4, Instructions: 205COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4946c792fe510ceb6f898f1d350858136886e798b9c642bfd65d449563e2a9d8
Instruction ID: bb56daa647bdc5b8eebe4baaa8fd529e9884befb34821132b6d53cadc5dab3c5
Opcode Fuzzy Hash: 4946c792fe510ceb6f898f1d350858136886e798b9c642bfd65d449563e2a9d8
Instruction Fuzzy Hash: 84814571E04228DBDF24CFA8C844BADBBB1FF44305F24816AD456BB281D778A986DF05

Function 00406A90 Relevance: 5.2, APIs: 4, Instructions: 198COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40acfd0569c51a0ed8326a41ceea3e1cadcd4e5eff2ca22ce679809f46488b45
Instruction ID: 4c059968f2e2b24eb1e5e0c9ef09b3253d11b2009d36a285a9eb138ea7c1b005
Opcode Fuzzy Hash: 40acfd0569c51a0ed8326a41ceea3e1cadcd4e5eff2ca22ce679809f46488b45
Instruction Fuzzy Hash: 5B815971E04228DBDF24CFA8C8447ADBBB0FF44305F20816AD456BB281D7786986DF45

Function 00406EDE Relevance: 5.2, APIs: 4, Instructions: 180COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ecfdc6a50dff7d8916ace13d1bdc0889b51af96eca2ccc09b1dd9eb10df24f6
Instruction ID: d60cf97a253a7e6a69b3ee1887f4eadeccf904993e12f72ad3f9abe973951288
Opcode Fuzzy Hash: 7ecfdc6a50dff7d8916ace13d1bdc0889b51af96eca2ccc09b1dd9eb10df24f6
Instruction Fuzzy Hash: A1711371E04228DBDF24CFA8C844BADBBB1FF44305F15806AD856BB281D778A986DF45

Function 00406FFC Relevance: 5.2, APIs: 4, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c11de4171378e898cf9dd0cf6cc2122b5d0c7e9a287f85b53884598f27a71e29
Instruction ID: 85b777fa610547d2183482adb232412925907ddbdaa1129d6a49a25a13354a82
Opcode Fuzzy Hash: c11de4171378e898cf9dd0cf6cc2122b5d0c7e9a287f85b53884598f27a71e29
Instruction Fuzzy Hash: 9D714671E04228DBDF28CF98C844BADBBB1FF44305F14816AD856BB281D778A986DF45

Function 00406F48 Relevance: 5.2, APIs: 4, Instructions: 168COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1fa58480ac5da56fa6cc6281bf6ff7b0f773126a89d504887f275dca7af18c3
Instruction ID: 068c41ea6699cb9b24c5d93e390f6e15a746ef4a0ce6273c00671ddd4a3661d6
Opcode Fuzzy Hash: f1fa58480ac5da56fa6cc6281bf6ff7b0f773126a89d504887f275dca7af18c3
Instruction Fuzzy Hash: E0715771E04228DBDF24CF98C844BADBBB1FF44305F15806AD856BB281C778AA86DF45

Function 004020DD Relevance: 4.6, APIs: 3, Instructions: 73libraryCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 00402108

Part of subcall function 004055A6: lstrlenW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000,?), ref: 004055DE
Part of subcall function 004055A6: lstrlenW.KERNEL32(004033F2,Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,00000000,00418EC0,00000000,?,?,?,?,?,?,?,?,?,004033F2,00000000), ref: 004055EE
Part of subcall function 004055A6: lstrcatW.KERNEL32(Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,004033F2,004033F2,Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,00000000,00418EC0,00000000), ref: 00405601
Part of subcall function 004055A6: SetWindowTextW.USER32(Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll,Skipped: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll), ref: 00405613
Part of subcall function 004055A6: SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405639
Part of subcall function 004055A6: SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405653
Part of subcall function 004055A6: SendMessageW.USER32(?,00001013,?,00000000), ref: 00405661

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 00402119
FreeLibrary.KERNEL32(?,?,000000F7,?,?,00000008,00000001,000000F0), ref: 00402196

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID:
API String ID: 334405425-0
Opcode ID: d9c937c8948d5d37c50d665afaa08982dd07723c7233c08654f6d387f6d988e5
Instruction ID: a8e1189db69026d3652efcc6ea6e12950466f7228f8283b9583ebcadfcee3162
Opcode Fuzzy Hash: d9c937c8948d5d37c50d665afaa08982dd07723c7233c08654f6d387f6d988e5
Instruction Fuzzy Hash: 8D215031904108BADF11AFA5CE49A9E7AB1BF44359F20413BF105B91E1CBBD89829A5D

Function 00401BA0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 72memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 00401C10
GlobalAlloc.KERNELBASE(00000040,00000804), ref: 00401C22

Strings

Call, xrefs: 00401BC7, 00401BCD, 00401BE7

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Global$AllocFree
String ID: Call
API String ID: 3394109436-1824292864
Opcode ID: e33d9b87315d49944383bdaefc5ba1c13c649625d32d96b536ae23307826b8e2
Instruction ID: 4f57f46d507340bd06d3479355973fa93edc06c360faa14cbfff374a5dc28ea7
Opcode Fuzzy Hash: e33d9b87315d49944383bdaefc5ba1c13c649625d32d96b536ae23307826b8e2
Instruction Fuzzy Hash: 5721F673904214EBDB30AFA8DE85A5F72B4AB08324714053FF642B32C4C6B8DC418B9D

Function 00402304 Relevance: 4.6, APIs: 3, Instructions: 51stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0040687E: FindFirstFileW.KERNELBASE(771B3420,00425F58,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,00405F41,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C4D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00406889
Part of subcall function 0040687E: FindClose.KERNEL32(00000000), ref: 00406895

lstrlenW.KERNEL32 ref: 00402344
lstrlenW.KERNEL32(00000000), ref: 0040234F
SHFileOperationW.SHELL32(?,?,?,00000000), ref: 00402378

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: FileFindlstrlen$CloseFirstOperation
String ID:
API String ID: 1486964399-0
Opcode ID: c92c3ee3ae18d95aa1771da2fabd1cb2010788539e6b4ab8b952707b1b2048dc
Instruction ID: e570f7e88bbeadde5f19d209a5805755c0aba3de4ac721a8bb04e236ab5037c1
Opcode Fuzzy Hash: c92c3ee3ae18d95aa1771da2fabd1cb2010788539e6b4ab8b952707b1b2048dc
Instruction Fuzzy Hash: 93117071D00318AADB10EFF9DD09A9EB6B8AF14308F10443FA401FB2D1D6BCC9418B59

Function 004025A3 Relevance: 4.5, APIs: 3, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004025D6
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004025E9
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: ba34c4ace152f4771e18115f26e31f873f7731feb8842bd8527d51c3f02d9afa
Instruction ID: fdeb1b79bd1b5feb028a75c257e649ad2cddb418c0fd83a6570d1db0005c2465
Opcode Fuzzy Hash: ba34c4ace152f4771e18115f26e31f873f7731feb8842bd8527d51c3f02d9afa
Instruction Fuzzy Hash: 7D017171904205BFEB149F949E58AAF7678FF40308F10443EF505B61C0DBB84E41976D

Function 0040252F Relevance: 3.1, APIs: 2, Instructions: 56registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000033), ref: 00402560
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,00000000,00000011,00000002), ref: 00402602

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CloseQueryValue
String ID:
API String ID: 3356406503-0
Opcode ID: 56531dfc69c8a788bac7fcb245dee4885a6b683f52a9ec3ede9407be23b67ed3
Instruction ID: b0e4e1b430255f92fa12a8c2637aeeefdc8d450e0dea4cce8f1fdd2cec8de2f5
Opcode Fuzzy Hash: 56531dfc69c8a788bac7fcb245dee4885a6b683f52a9ec3ede9407be23b67ed3
Instruction Fuzzy Hash: 61116A71900219EBDF14DFA0DA989AEB7B4BF04349F20447FE406B62C0D7B84A45EB5E

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(0040A2D8,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
Instruction ID: 2b867b2a322a557ec20ecaa395e060e0be7e2a6973b32d365fcb6e947ad1390c
Opcode Fuzzy Hash: 24120cd7971efbcf380a3cfcf85aef56aa5faf56da28ec4d1ccb8bb0957475b6
Instruction Fuzzy Hash: 9E01F4327242209BE7195B389D05B6B3798E710314F10863FF855F66F1DA78CC429B4C

Function 00402439 Relevance: 3.0, APIs: 2, Instructions: 39registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040245B
RegCloseKey.ADVAPI32(00000000), ref: 00402464

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 729ecf5bba26eed59db8e40ba0825d20aa39ecfc350fd83ab66bb719c7a4b8e3
Instruction ID: 823524eaaa32c5521ce5516f6f818df3cdafdbc5371ac3c1d9ba599ed9425974
Opcode Fuzzy Hash: 729ecf5bba26eed59db8e40ba0825d20aa39ecfc350fd83ab66bb719c7a4b8e3
Instruction Fuzzy Hash: 46F06232A04520ABDB10BBA89A8DAEE62B5AF54314F11443FE502B71C1CAFC4D02976D

Function 00405A75 Relevance: 3.0, APIs: 2, Instructions: 26COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,?), ref: 00405AB7
GetLastError.KERNEL32 ref: 00405AC5

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction ID: 25953aab165e2e3bb2b5eb59dc1d6ee29197e23c9d0e5a802ce790cbbbfebc39
Opcode Fuzzy Hash: 93d1f65b513afb97053b6d969de6af344d99c991354c8e43ed6bd2c6eb9068ab
Instruction Fuzzy Hash: 33F0F4B1D1060EDADB00DFA4C6497EFBBB4AB04309F04812AD941B6281D7B982488FA9

Function 00401EE3 Relevance: 3.0, APIs: 2, Instructions: 25COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00401F01
EnableWindow.USER32(00000000,00000000), ref: 00401F0C

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: b342668e68410e2d968fedd3eb79c8682b657b25800b9077b5ecd2124e99ac37
Instruction ID: a6cb0e5ea3b461fc76251f348ffd86be0a73501dc920cd99368f231d5504fafc
Opcode Fuzzy Hash: b342668e68410e2d968fedd3eb79c8682b657b25800b9077b5ecd2124e99ac37
Instruction Fuzzy Hash: F2E09A36A082049FE705EBA8AE484AEB3B0EB40325B200A7FE001F11C0CBB94C00866C

Function 00406915 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,0040360C,0000000C,?,?,?,?,?,?,?,?), ref: 00406927
GetProcAddress.KERNEL32(00000000,?), ref: 00406942

Part of subcall function 004068A5: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004068BC
Part of subcall function 004068A5: wsprintfW.USER32 ref: 004068F7
Part of subcall function 004068A5: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040690B

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction ID: 5852e889d14e736f2df1098d3b7202b06462132acdc852f75f804bf3a6ff6809
Opcode Fuzzy Hash: 38b25401b771ecf209a524bd0999a173af8b0ad39984603ae0a2953bb283c85e
Instruction Fuzzy Hash: FCE08673604310EBD61056755D04D2773A8AF95A50302483EFD46F2144D738DC32A66A

Function 00406011 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,80000000,00000003), ref: 00406015
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406037

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction ID: 9d50a09f5748d4f60ef03139cc16a9656d1073ae209d3065c053d14625e31d4c
Opcode Fuzzy Hash: 6be4d53c09d0ea7202590e2ef391dde9d68f005235e9a58d36352f422cb06a2c
Instruction Fuzzy Hash: 87D09E31654301AFEF098F20DE16F2EBAA2EB84B00F11552CB682941E0DA715819DB15

Function 00405ACF Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,004034EF,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405AD5
GetLastError.KERNEL32(?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405AE3

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction ID: c141ebc68f4164d0a3663fa1b1ea49181af819f28e12deb644bc081b11005b13
Opcode Fuzzy Hash: 7ce514c051633c67dabed91c1ba2c830ad6f4192d7236d4c27a26ed09d9cb01d
Instruction Fuzzy Hash: 5DC08C30300A02DACF000B218F087073950AB00380F19483AA582E00A0CA308044CD2D

Function 00402896 Relevance: 1.5, APIs: 1, Instructions: 28COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 004028B4

Part of subcall function 00406468: wsprintfW.USER32 ref: 00406475

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: FilePointerwsprintf
String ID:
API String ID: 327478801-0
Opcode ID: c408762c6ae6a09676534d13277c6868af0c4062816ce02b100207dfef7a20c8
Instruction ID: 3ecce12b6213660a705480fd24811c4b14f3d13bc743ad81d22bf59cde18bc7d
Opcode Fuzzy Hash: c408762c6ae6a09676534d13277c6868af0c4062816ce02b100207dfef7a20c8
Instruction Fuzzy Hash: 8DE06D71904208AFDB01ABA5AA498AEB379EB44344B10483FF101B10C0CA794C119A2D

Function 0040173A Relevance: 1.5, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

SearchPathW.KERNELBASE(?,00000000,?,00000400,?,?,000000FF), ref: 0040174E

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: PathSearch
String ID:
API String ID: 2203818243-0
Opcode ID: 96c3c64599610033e1741a12b780745032a27335a1d6010ee521e40a3137f023
Instruction ID: 71d187b5cc8d7de3a3c01a98f906eab562aacc0ad357dac51c0352885440fd59
Opcode Fuzzy Hash: 96c3c64599610033e1741a12b780745032a27335a1d6010ee521e40a3137f023
Instruction Fuzzy Hash: D9E04871204104ABE700DB64DD48EAA7778DB5035CF20453AE511A60D1E6B55905971D

Function 004060C3 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040347F,00000000,00414EC0,?,00414EC0,?,000000FF,00000004,00000000), ref: 004060D7

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction ID: de33e43015841e90b47a85578f5cc3acb86098a1fa118a6604a55d69533944a7
Opcode Fuzzy Hash: 4494c28c6fc58b77f7b94402ffbb10e79d92760fb9961e7d9dbcb201027e3d13
Instruction Fuzzy Hash: 41E08C3224022AABCF109E508D00EEB3B6CEB003A0F018433FD26E2090D630E83197A4

Function 00406094 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,000000FF,?,004034B1,00000000,00000000,00403308,000000FF,00000004,00000000,00000000,00000000), ref: 004060A8

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction ID: fd87eb1c4e4509ee71b5dc1f82ee1534a3bbef2287d177a98c1a1ef8e7fccbc0
Opcode Fuzzy Hash: 076a4193e787d8b2f8fcded04b516b0b1a94860d7d4352c54bed072072f3bbd3
Instruction Fuzzy Hash: 11E08C3229021AEBDF119E50CC00AEB7BACEB043A0F018436FD22E3180D671E83187A9

Function 701C2A7F Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(701C505C,00000004,00000040,701C504C), ref: 701C2A9D

Memory Dump Source

Source File: 00000000.00000002.3732328148.00000000701C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701C0000, based on PE: true

Associated: 00000000.00000002.3732308554.00000000701C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732344875.00000000701C4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732362879.00000000701C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_701c0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: d022d9631aa6bfff8f1b15f3ec3880c396015be5e57ec1649b7de03932096c37
Instruction ID: 9d2b33e990ed4dd5d844e1ba6c3b96c4e474bd3df7cd22692949deb021dd1785
Opcode Fuzzy Hash: d022d9631aa6bfff8f1b15f3ec3880c396015be5e57ec1649b7de03932096c37
Instruction Fuzzy Hash: 2CF0A5B2544280DEC350CF2A8C6472B3FE0B728308BB4456AF588D6A60E374C4E4DBA9

Function 0040638E Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00000000,?,?,00000000,?,0040641C,?,?,?,?,Call,?,00000000), ref: 004063B2

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction ID: 99177681843bc7d8b33aa39255ce29306f0e35401c43de39655aaedf71f86506
Opcode Fuzzy Hash: 8ee5b0d2344bda13eae74e7442d869633e0228d129a7f9cdea9876c3f2a2c01f
Instruction Fuzzy Hash: DAD0173204020DBBDF119E90ED01FAB3B6DAB08350F014826FE06A40A0D776D534ABA8

Function 004015A8 Relevance: 1.5, APIs: 1, Instructions: 18COMMON

Download Yara Rule

APIs

SetFileAttributesW.KERNELBASE(00000000,?,000000F0), ref: 004015B3

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: 58434a7e7cdfb0d0f19199f5504f69f984a7681d240ae9cdceb23cdc370956f4
Instruction ID: f79479eb79e616cc8aec51f56aa6edc525cb8d4391243906608abe1f76efb7bb
Opcode Fuzzy Hash: 58434a7e7cdfb0d0f19199f5504f69f984a7681d240ae9cdceb23cdc370956f4
Instruction Fuzzy Hash: 3DD05B72B08204DBDB01DBE8EA48A9E73B09B50328F20893BD111F11D0D6B9C945A75D

Function 004044A0 Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

SetDlgItemTextW.USER32(?,?,00000000), ref: 004044BA

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: ItemText
String ID:
API String ID: 3367045223-0
Opcode ID: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
Instruction ID: ae2ead1ac10e0797e36fe1c05e7dcabccdaa2022beaf041c85de5a3ae6598913
Opcode Fuzzy Hash: 9f5f9317995870dd68fcf34551989b3f9c33a874f6e62bdf9e4bbf2fb329bfe5
Instruction Fuzzy Hash: C9C08C71008200BFD241BB08CC02F1FB3AAEF90325F00C42EB15CA10D2C63595308A26

Function 004044EC Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044FE

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
Instruction ID: 5c877ab33ec7e7ab303c696e8a99d36134f19a60efc45403e0926baa73fdbb46
Opcode Fuzzy Hash: c543a5305144ba01004fe0d35289a86565b01ad173ebec7ef44f324a9b2ac024
Instruction Fuzzy Hash: 9AC09BF57413017BDA209F509D45F1777585790710F15453D7350F50E0CBB4E450D61D

Function 004044D5 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,00404300), ref: 004044E3

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
Instruction ID: a1e91a2b22b377b77c28deac9acb262fc7b3ebada01c3a2f9bc193e64980b6bc
Opcode Fuzzy Hash: 0b5dc737e690c2697fce459c5807109f7a0ee7b6821d5e504b87bae23edcb368
Instruction Fuzzy Hash: E9B09236690A40AADA215B00DE09F867B62A7A8701F008438B240640B0CAB204A1DB08

Function 004034B4 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,00403247,?), ref: 004034C2

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction ID: 1f5c7ae16c2334422adcad36111bde95194575cbdac9b1f52e29a9f6e91cc98e
Opcode Fuzzy Hash: 9851be0de28bb9513f6e500a0df6ea838ed72b99fd7baa621d8f85bec57c8f40
Instruction Fuzzy Hash: 34B01271240300BFDA214F00DF09F057B21ABA0700F10C034B388380F086711035EB0D

Function 004044C2 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,00404299), ref: 004044CC

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
Instruction ID: bf70c606a766814dc6d2ff6c1013b69bc1ca18b78975ad7518874070628387b3
Opcode Fuzzy Hash: 1338f86397f00e2d38996c3f1ae94053e56d426343b35a23e1e428530b57d47f
Instruction Fuzzy Hash: BEA00176544900ABCA16AB50EF0980ABB72BBA8701B528879A285510388B725921FB19

Function 701C2B98 Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 701C2C57

Memory Dump Source

Source File: 00000000.00000002.3732328148.00000000701C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701C0000, based on PE: true

Associated: 00000000.00000002.3732308554.00000000701C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732344875.00000000701C4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732362879.00000000701C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_701c0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: fa27c35f1a1893ae4652323a06ac6751f1086de64e16746e6446324c00b5156c
Instruction ID: b7aed2f75d6b314dde7959963604641324b9a99f74f643726654b6d560988e15
Opcode Fuzzy Hash: fa27c35f1a1893ae4652323a06ac6751f1086de64e16746e6446324c00b5156c
Instruction Fuzzy Hash: FA416C735002049FDB119FA5DD96B6F3B78FB74354F3084A9F406C6960D638E8A0DB95

Function 004014D7 Relevance: 1.3, APIs: 1, Instructions: 19sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNELBASE(00000000), ref: 004014EA

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Sleep
String ID:
API String ID: 3472027048-0
Opcode ID: 5065bf49ec89ca03d4d81e0e626b625f4b0a8bbe3ca9100aab93803b3529547f
Instruction ID: a775f6773ee6fca20605c15f6de2f930d7ecc582f877687dc3caa15317c5c1fc
Opcode Fuzzy Hash: 5065bf49ec89ca03d4d81e0e626b625f4b0a8bbe3ca9100aab93803b3529547f
Instruction Fuzzy Hash: 8ED05E73A142008BD710EBB8BE854AF73B8EA403193204C3BD102E1191E6788902461C

Function 701C12BB Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,701C12DB,?,701C137F,00000019,701C11CA,-000000A0), ref: 701C12C5

Memory Dump Source

Source File: 00000000.00000002.3732328148.00000000701C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701C0000, based on PE: true

Associated: 00000000.00000002.3732308554.00000000701C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732344875.00000000701C4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732362879.00000000701C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_701c0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: f930c7c5b286903213ba831c3ab7468af236b4a04612c4fb176f0c1f65bef345
Instruction ID: 84f723251f0919806357adf6da711d896dbf35e30594514c8ab93ca1d9c0301c
Opcode Fuzzy Hash: f930c7c5b286903213ba831c3ab7468af236b4a04612c4fb176f0c1f65bef345
Instruction Fuzzy Hash: 94B012726400009FEF008B15DC0AF363A64F700300F340010BB00C1450C560C8208534

Non-executed Functions

Function 00404991 Relevance: 23.0, APIs: 10, Strings: 3, Instructions: 275stringCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004049E0
SetWindowTextW.USER32(00000000,?), ref: 00404A0A
SHBrowseForFolderW.SHELL32(?), ref: 00404ABB
CoTaskMemFree.OLE32(00000000), ref: 00404AC6
lstrcmpiW.KERNEL32(Call,00422F08,00000000,?,?), ref: 00404AF8
lstrcatW.KERNEL32(?,Call), ref: 00404B04
SetDlgItemTextW.USER32(?,000003FB,?), ref: 00404B16

Part of subcall function 00405B65: GetDlgItemTextW.USER32(?,?,00000400,00404B4D), ref: 00405B78

Part of subcall function 004067CF: CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034D7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406832
Part of subcall function 004067CF: CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406841
Part of subcall function 004067CF: CharNextW.USER32(?,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034D7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406846
Part of subcall function 004067CF: CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034D7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406859

GetDiskFreeSpaceW.KERNEL32(00420ED8,?,?,0000040F,?,00420ED8,00420ED8,?,00000001,00420ED8,?,?,000003FB,?), ref: 00404BD9
MulDiv.KERNEL32(?,0000040F,00000400), ref: 00404BF4

Part of subcall function 00404D4D: lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DEE
Part of subcall function 00404D4D: wsprintfW.USER32 ref: 00404DF7
Part of subcall function 00404D4D: SetDlgItemTextW.USER32(?,00422F08), ref: 00404E0A

Strings

Call, xrefs: 00404AF2, 00404AF7, 00404B02
A, xrefs: 00404AB4
C:\Users\user\polaritets, xrefs: 00404AE1

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CharItemText$Next$Free$BrowseDiskFolderPrevSpaceTaskWindowlstrcatlstrcmpilstrlenwsprintf
String ID: A$C:\Users\user\polaritets$Call
API String ID: 2624150263-2366791404
Opcode ID: 2c04f043fab078114f436bc2b0f460e04cb31fe4a389aa85165ae8fc382e2e95
Instruction ID: 030197d704291a410dcd06cfc4277a043b64cd4f667f0077e3e502e998d69d3f
Opcode Fuzzy Hash: 2c04f043fab078114f436bc2b0f460e04cb31fe4a389aa85165ae8fc382e2e95
Instruction Fuzzy Hash: CBA1A0B1900208ABDB11AFA5DD45AAF77B8EF84314F11803BF611B62D1D77C9A418B6D

Function 004021AF Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 129comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004084DC,?,00000001,004084CC,?,?,00000045,000000CD,00000002,000000DF,000000F0), ref: 0040222E

Strings

C:\Users\user\polaritets, xrefs: 0040226E

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user\polaritets
API String ID: 542301482-2790145093
Opcode ID: 18b8905a52bb68317a5b1bf06e2d786d8dd953d3db2333650e4a3939e0f89523
Instruction ID: 8307c529eb9feefa1617cd4f78f27985085e4fae61a1ffd37fb0b3adda41be3b
Opcode Fuzzy Hash: 18b8905a52bb68317a5b1bf06e2d786d8dd953d3db2333650e4a3939e0f89523
Instruction Fuzzy Hash: 00410575A00209AFCB40DFE4C989EAD7BB5FF48308B20456EF505EB2D1DB799982CB54

Function 00402910 Relevance: 1.5, APIs: 1, Instructions: 30fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 0040291F

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: 6ffcda492f923abc76daec6159b81a3f5593eca79e3a3c3abc80d0637868bc28
Instruction ID: a06f58704ac02dcae893024ea8a23b5ac4ca5f5a8623c8e138aed3c50dac2e18
Opcode Fuzzy Hash: 6ffcda492f923abc76daec6159b81a3f5593eca79e3a3c3abc80d0637868bc28
Instruction Fuzzy Hash: 44F05E71A04104AAD711EBE4E9499AEB378EF14314F60057BE101F21D0DBB84D019B2A

Function 00404F0D Relevance: 63.5, APIs: 33, Strings: 3, Instructions: 489windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404F25
GetDlgItem.USER32(?,00000408), ref: 00404F30
GlobalAlloc.KERNEL32(00000040,?), ref: 00404F7A
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 00404F91
SetWindowLongW.USER32(?,000000FC,0040551A), ref: 00404FAA
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 00404FBE
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 00404FD0
SendMessageW.USER32(?,00001109,00000002), ref: 00404FE6
SendMessageW.USER32(?,0000111C,00000000,00000000), ref: 00404FF2
SendMessageW.USER32(?,0000111B,00000010,00000000), ref: 00405004
DeleteObject.GDI32(00000000), ref: 00405007
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00405032
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 0040503E
SendMessageW.USER32(?,00001132,00000000,?), ref: 004050D9
SendMessageW.USER32(?,0000110A,00000003,00000110), ref: 00405109

Part of subcall function 004044D5: SendMessageW.USER32(00000028,?,00000001,00404300), ref: 004044E3

SendMessageW.USER32(?,00001132,00000000,?), ref: 0040511D
GetWindowLongW.USER32(?,000000F0), ref: 0040514B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00405159
ShowWindow.USER32(?,00000005), ref: 00405169
SendMessageW.USER32(?,00000419,00000000,?), ref: 00405264
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 004052C9
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 004052DE
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 00405302
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 00405322
ImageList_Destroy.COMCTL32(?), ref: 00405337
GlobalFree.KERNEL32(?), ref: 00405347
SendMessageW.USER32(?,0000014E,00000000,00000000), ref: 004053C0
SendMessageW.USER32(?,00001102,?,?), ref: 00405469
SendMessageW.USER32(?,0000113F,00000000,00000008), ref: 00405478
InvalidateRect.USER32(?,00000000,00000001), ref: 004054A3
ShowWindow.USER32(?,00000000), ref: 004054F1
GetDlgItem.USER32(?,000003FE), ref: 004054FC
ShowWindow.USER32(00000000), ref: 00405503

Strings

, xrefs: 004054DB
N, xrefs: 004051A2
M, xrefs: 004050C1

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: MessageSend$Window$Image$ItemList_LongShow$Global$AllocCreateDeleteDestroyFreeInvalidateLoadMaskedObjectRect
String ID: $M$N
API String ID: 2564846305-813528018
Opcode ID: 963d0e2195837636cb6f5b073c234fd9fc9862b141633064f8114fc5dd327728
Instruction ID: 467e9106b9ab4b1e9b2d04e68362d71007c986f05034cc4a0cb7dcf353c6e141
Opcode Fuzzy Hash: 963d0e2195837636cb6f5b073c234fd9fc9862b141633064f8114fc5dd327728
Instruction Fuzzy Hash: 16029B70A00609EFDB20DF95DD45AAF7BB5FB44314F10817AE610BA2E1D7B98A42CF58

Function 0040465F Relevance: 37.0, APIs: 19, Strings: 2, Instructions: 204windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,-0000040A,00000001), ref: 004046FD
GetDlgItem.USER32(?,000003E8), ref: 00404711
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 0040472E
GetSysColor.USER32(?), ref: 0040473F
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 0040474D
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 0040475B
lstrlenW.KERNEL32(?), ref: 00404760
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 0040476D
SendMessageW.USER32(00000000,00000449,00000110,00000110), ref: 00404782
GetDlgItem.USER32(?,0000040A), ref: 004047DB
SendMessageW.USER32(00000000), ref: 004047E2
GetDlgItem.USER32(?,000003E8), ref: 0040480D
SendMessageW.USER32(00000000,0000044B,00000000,00000201), ref: 00404850
LoadCursorW.USER32(00000000,00007F02), ref: 0040485E
SetCursor.USER32(00000000), ref: 00404861
LoadCursorW.USER32(00000000,00007F00), ref: 0040487A
SetCursor.USER32(00000000), ref: 0040487D
SendMessageW.USER32(00000111,00000001,00000000), ref: 004048AC
SendMessageW.USER32(00000010,00000000,00000000), ref: 004048BE

Strings

Call, xrefs: 0040483C
N, xrefs: 004047FB

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: MessageSend$Cursor$Item$Load$ButtonCheckColorlstrlen
String ID: Call$N
API String ID: 3103080414-3438112850
Opcode ID: d465d3d5382bb59059b47d3503e7a252332af71f120e52871dcbc052c6d80ab7
Instruction ID: fa786ba7610ecb1ae21ae2169d8ef808fc0b2da043ab7544d4c43deaa2774949
Opcode Fuzzy Hash: d465d3d5382bb59059b47d3503e7a252332af71f120e52871dcbc052c6d80ab7
Instruction Fuzzy Hash: 7F61B3B1A00209BFDB10AF64DD85A6A7B79FB84354F00843AFB05B61D0D7B9AD61CF58

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 125COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,00000046,?,?), ref: 0040102C
BeginPaint.USER32(?,?), ref: 00401047
GetClientRect.USER32(?,?), ref: 0040105B
CreateBrushIndirect.GDI32(00000000), ref: 004010CF
FillRect.USER32(00000000,?,00000000), ref: 004010E4
DeleteObject.GDI32(?), ref: 004010ED
CreateFontIndirectW.GDI32(?), ref: 00401105
SetBkMode.GDI32(00000000,00000001), ref: 00401126
SetTextColor.GDI32(00000000,000000FF), ref: 00401130
SelectObject.GDI32(00000000,?), ref: 00401140
DrawTextW.USER32(00000000,00428A20,000000FF,00000010,00000820), ref: 00401156
SelectObject.GDI32(00000000,00000000), ref: 00401160
DeleteObject.GDI32(?), ref: 00401165
EndPaint.USER32(?,?), ref: 0040116E

Strings

F, xrefs: 0040100C

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
Instruction ID: d1034cbb9d528375343357a353c0022e70e8214492c202610c441178c5bfc5cd
Opcode Fuzzy Hash: fcc37e75e13d0dca8524aaa06a8ee829d240d30c68f9aadea354bd02ab1c226a
Instruction Fuzzy Hash: FC417B71800249AFCB058FA5DE459AFBBB9FF45314F00802EF592AA1A0CB74DA55DFA4

Function 00406167 Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406302,?,?), ref: 004061A2
GetShortPathNameW.KERNEL32(?,004265A8,00000400), ref: 004061AB

Part of subcall function 00405F76: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F86
Part of subcall function 00405F76: lstrlenA.KERNEL32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB8

GetShortPathNameW.KERNEL32(?,00426DA8,00000400), ref: 004061C8
wsprintfA.USER32 ref: 004061E6
GetFileSize.KERNEL32(00000000,00000000,00426DA8,C0000000,00000004,00426DA8,?,?,?,?,?), ref: 00406221
GlobalAlloc.KERNEL32(00000040,0000000A,?,?,?,?), ref: 00406230
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00406268
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,004261A8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 004062BE
GlobalFree.KERNEL32(00000000), ref: 004062CF
CloseHandle.KERNEL32(00000000,?,?,?,?), ref: 004062D6

Part of subcall function 00406011: GetFileAttributesW.KERNELBASE(00000003,004030C2,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,80000000,00000003), ref: 00406015
Part of subcall function 00406011: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000), ref: 00406037

Strings

[Rename], xrefs: 00406250, 00406262
%ls=%ls, xrefs: 004061DC

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
Instruction ID: d8f03b5b48010a369f687ed07a259b5d04d98e8e290d987932ab0f9f84d7b5e4
Opcode Fuzzy Hash: ad23c2c12608704314c1a1c2d98a70ea5e027cecb5ac03fef5858bd56b87dd73
Instruction Fuzzy Hash: 89313230201325BFD6207B659D48F2B3A6CDF41714F12007EBA02F62C2EA7D98218ABD

Function 004067CF Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034D7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406832
CharNextW.USER32(?,?,?,00000000,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00406841
CharNextW.USER32(?,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe",771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034D7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406846
CharPrevW.USER32(?,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,00000000,004034D7,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00406859

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 004067D0
*?|<>/":, xrefs: 00406821
"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe", xrefs: 00406813

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"$*?|<>/":$C:\Users\user~1\AppData\Local\Temp\
API String ID: 589700163-2468298975
Opcode ID: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction ID: 2d41fa7b6770246c30beeceb47eb68b435a53440eacd13368e2f30b8c56315d6
Opcode Fuzzy Hash: d9890b2689dddc4776a4db6af1629ac80bd1bcc56ba6148264ccbff8cf15ab87
Instruction Fuzzy Hash: A511935680121296DB303B14CC44ABB66E8AF54794F52C03FE999732C1E77C5C9296BD

Function 00404507 Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404524
GetSysColor.USER32(00000000), ref: 00404562
SetTextColor.GDI32(?,00000000), ref: 0040456E
SetBkMode.GDI32(?,?), ref: 0040457A
GetSysColor.USER32(?), ref: 0040458D
SetBkColor.GDI32(?,?), ref: 0040459D
DeleteObject.GDI32(?), ref: 004045B7
CreateBrushIndirect.GDI32(?), ref: 004045C1

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction ID: 524417ed32742d4b72cd17798d780815826fd18a7bcb7bb0f1ed1fdd1052d135
Opcode Fuzzy Hash: 9dba601b91aff6ac4bf2e5f3eaee39d76022ea5146a5c84035e03d3d84c8d27c
Instruction Fuzzy Hash: B22135B1500705AFCB319F78DD08B577BF5AF81714B048A2DEA96A26E0D738D944CB54

Function 701C2480 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 701C25C2

Part of subcall function 701C12CC: lstrcpynW.KERNEL32(00000000,?,701C137F,00000019,701C11CA,-000000A0), ref: 701C12DC

GlobalAlloc.KERNEL32(00000040), ref: 701C2548
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 701C2563

Strings

@H3w, xrefs: 701C257C

Memory Dump Source

Source File: 00000000.00000002.3732328148.00000000701C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701C0000, based on PE: true

Associated: 00000000.00000002.3732308554.00000000701C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732344875.00000000701C4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732362879.00000000701C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_701c0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID: @H3w
API String ID: 4216380887-4275297014
Opcode ID: c944477257a2c6920e839515054f67bd327e1f24b9ef15753396424a4b34abc5
Instruction ID: 8eec5f38a7e45f98fafefb3bbbb3deab5e6db6c7dc9aa9dc2223cd3966cd2a24
Opcode Fuzzy Hash: c944477257a2c6920e839515054f67bd327e1f24b9ef15753396424a4b34abc5
Instruction Fuzzy Hash: 11418BB1008205DFD7189F25D854BAF7BB8FB78310F2149ADF94687A90EB70E544DB61

Function 00404E5B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 48windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 00404E76
GetMessagePos.USER32 ref: 00404E7E
ScreenToClient.USER32(?,?), ref: 00404E98
SendMessageW.USER32(?,00001111,00000000,?), ref: 00404EAA
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00404ED0

Strings

f, xrefs: 00404EAC

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction ID: cfceae8db68972c520d490933057d7cb8d8acba3ea2256e028311c612775fba1
Opcode Fuzzy Hash: 3b05e908374c5eb3ed0cc07743cf8bdf4b6f619b857b2f4ef42225a5e6fc1927
Instruction Fuzzy Hash: A3015E7190021CBADB00DB94DD85BFFBBBCAF95B11F10412BBA51B61D0C7B49A418BA4

Function 00402F98 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402FB6
MulDiv.KERNEL32(0008A6E8,00000064,0008A8EC), ref: 00402FE1
wsprintfW.USER32 ref: 00402FF1
SetWindowTextW.USER32(?,?), ref: 00403001
SetDlgItemTextW.USER32(?,00000406,?), ref: 00403013

Strings

verifying installer: %d%%, xrefs: 00402FEB

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
Instruction ID: f83dc0eaaa7e9df2961e53678d13a3899a4bf5fcca0c0537cb294ee04905d4b1
Opcode Fuzzy Hash: 7c72eb226873640f15370cd8631d515f33e7e0e766319f11269e715f4bf9c46b
Instruction Fuzzy Hash: EF014F71640208BBEF209F60DD49FEE3B69AB44345F108039FA06A51D0DBB99A559F58

Function 701C2655 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 701C12BB: GlobalAlloc.KERNELBASE(00000040,?,701C12DB,?,701C137F,00000019,701C11CA,-000000A0), ref: 701C12C5

GlobalFree.KERNEL32(?), ref: 701C2743
GlobalFree.KERNEL32(00000000), ref: 701C2778

Memory Dump Source

Source File: 00000000.00000002.3732328148.00000000701C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701C0000, based on PE: true

Associated: 00000000.00000002.3732308554.00000000701C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732344875.00000000701C4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732362879.00000000701C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_701c0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 10190cf44f148025f833f1e60989072eede437eb717b7111fa5a4629d6c6eb62
Instruction ID: 9e45d14817b2502cdb2eb474079383aae5062158aba9d084d469f51e4f921201
Opcode Fuzzy Hash: 10190cf44f148025f833f1e60989072eede437eb717b7111fa5a4629d6c6eb62
Instruction Fuzzy Hash: 8D31BE72508201DFC7168F55CDD4E6F7BBAFBB630433145A9F60283A20C770E8649B61

Function 00402955 Relevance: 9.1, APIs: 6, Instructions: 91memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 004029B6
GlobalAlloc.KERNEL32(00000040,?,00000000,?), ref: 004029D2
GlobalFree.KERNEL32(?), ref: 00402A0B
GlobalFree.KERNEL32(00000000), ref: 00402A1E
CloseHandle.KERNEL32(?,?,?,?,?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A3A
DeleteFileW.KERNEL32(?,00000000,40000000,00000002,00000000,00000000,000000F0), ref: 00402A4D

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID:
API String ID: 2667972263-0
Opcode ID: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
Instruction ID: 66908bbe9354c3b59104e874c770ae4161d9466efedc1f742b63756e9967f80f
Opcode Fuzzy Hash: b07bb42a36a53ac2b652948ec131e563e6f6be8de0f89c4bf93d81cf64cebf1f
Instruction Fuzzy Hash: 54319E71900128ABCF21AFA5CE49D9E7E79AF44364F10423AF514762E1CB794C429FA8

Function 701C1979 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 701C19DA
GlobalFree.KERNEL32(?), ref: 701C1B7A
GlobalFree.KERNEL32(?), ref: 701C1B7F

Memory Dump Source

Source File: 00000000.00000002.3732328148.00000000701C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701C0000, based on PE: true

Associated: 00000000.00000002.3732308554.00000000701C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732344875.00000000701C4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732362879.00000000701C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_701c0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: edbd402a6cab877b8b9b36fbec96f2a0b1393b283ebf15d4ae6b54635ce9890a
Instruction ID: 44373922988d6d9882321a5b21476bcfd3360bf778bf8c96e670064f9f64ef32
Opcode Fuzzy Hash: edbd402a6cab877b8b9b36fbec96f2a0b1393b283ebf15d4ae6b54635ce9890a
Instruction Fuzzy Hash: AC51D432D80159AECB029FA4C8407AFBBBAEF77314F23815DE406A3714E671ED458B91

Function 00401D86 Relevance: 7.6, APIs: 5, Instructions: 75windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401D9F
GetClientRect.USER32(?,?), ref: 00401DEA
LoadImageW.USER32(?,?,?,?,?,?), ref: 00401E1A
SendMessageW.USER32(?,00000172,?,00000000), ref: 00401E2E
DeleteObject.GDI32(00000000), ref: 00401E3E

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: b4553b6f8f96a3615d4cb1d74016621c3cb3daa09826911c1e5c071ec9b0e61c
Instruction ID: 002387d4b88dbb62f40c54eb0dee3f9a721ef30fc2dbb8ae50818b7fec09efb0
Opcode Fuzzy Hash: b4553b6f8f96a3615d4cb1d74016621c3cb3daa09826911c1e5c071ec9b0e61c
Instruction Fuzzy Hash: 0F21F872A00119AFCB15DF98DE45AEEBBB5EB08304F14003AF945F62A0D7789D41DB98

Function 00401E53 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32(?), ref: 00401E56
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401E70
MulDiv.KERNEL32(00000000,00000000), ref: 00401E78
ReleaseDC.USER32(?,00000000), ref: 00401E89
CreateFontIndirectW.GDI32(0040CDC8), ref: 00401ED8

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectRelease
String ID:
API String ID: 3808545654-0
Opcode ID: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
Instruction ID: 1c21784e8a12ec6bf8935da156a17e2c336e66cb5fe6e154f3a2125ab74843e9
Opcode Fuzzy Hash: 12fc5c0feb0b51e7a773ba9164babbc76b3b82788c0ea370a0f868ab0e4caa48
Instruction Fuzzy Hash: 5A018871954240EFE7015BB4AE9ABDD3FB5AF15301F10497AF141B61E2C6B90445DB3C

Function 701C16BD Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,701C22D8,?,00000808), ref: 701C16D5
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,701C22D8,?,00000808), ref: 701C16DC
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,701C22D8,?,00000808), ref: 701C16F0
GetProcAddress.KERNEL32(701C22D8,00000000), ref: 701C16F7
GlobalFree.KERNEL32(00000000), ref: 701C1700

Memory Dump Source

Source File: 00000000.00000002.3732328148.00000000701C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701C0000, based on PE: true

Associated: 00000000.00000002.3732308554.00000000701C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732344875.00000000701C4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732362879.00000000701C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_701c0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: fd7fe89706c68dc66746fa7f553d5a1396756c7146a5e464841c5ad73f91cfed
Instruction ID: 254172a4c89638eae0595a2b8e6f22fac2914db54a6326e4ecfa53aaf1ddace4
Opcode Fuzzy Hash: fd7fe89706c68dc66746fa7f553d5a1396756c7146a5e464841c5ad73f91cfed
Instruction Fuzzy Hash: CAF0127314A1387BD62017A79C4CDDB7E9DEF8B2F5B110225F718911A085618C11D7F1

Function 00401C48 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(00000000,00000000,?,?,?,00000002,?), ref: 00401CB8
SendMessageW.USER32(00000000,00000000,?,?), ref: 00401CD0

Strings

!, xrefs: 00401C84

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 0b60248b2d317c3fadb7ed9affa728e8142f9e62085aaabdbec9824b10747ad3
Instruction ID: dc9a0f57bab323a5eda2152a626e9899419b02716f24503a8b80c8a4184e75e9
Opcode Fuzzy Hash: 0b60248b2d317c3fadb7ed9affa728e8142f9e62085aaabdbec9824b10747ad3
Instruction Fuzzy Hash: E921AD71D1421AAFEB05AFA4D94AAFE7BB0EF84304F10453EF601B61D0D7B84941CB98

Function 00404D4D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00422F08,00422F08,?,%u.%u%s%s,00000005,00000000,00000000,?,000000DC,00000000,?,000000DF,00000000,00000400,?), ref: 00404DEE
wsprintfW.USER32 ref: 00404DF7
SetDlgItemTextW.USER32(?,00422F08), ref: 00404E0A

Strings

%u.%u%s%s, xrefs: 00404DD8

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
Instruction ID: 33e626053c854acaf0ea976fdeb40ece7b69d158cb37adfcb571004cb6629101
Opcode Fuzzy Hash: 808c56ceb77bc8fa6bb0a4fcfba6dc4e55d7e9e185af3d36fc5e6f51395c7837
Instruction Fuzzy Hash: 2C11EB7360412877DB00666DAC46EAE329DDF85334F250237FA66F31D5EA79C92242E8

Function 0040248F Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,00000023,00000011,00000002), ref: 004024DA
RegSetValueExW.ADVAPI32(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,00000000,00000011,00000002), ref: 0040251A
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,00000000,00000011,00000002), ref: 00402602

Strings

C:\Users\user~1\AppData\Local\Temp\nss458C.tmp, xrefs: 004024CB, 004024D9, 004024F0, 00402504, 0040250F

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp
API String ID: 2655323295-4219337211
Opcode ID: 8b31c99460fdf6c2949f4debf72b45d412ee72b0ef63aad6f5470ffe0bc1fffc
Instruction ID: 9515a87f615354861ff9cc8d48f56862c3e7cd04d157db2ad705c0a1b7eb65e0
Opcode Fuzzy Hash: 8b31c99460fdf6c2949f4debf72b45d412ee72b0ef63aad6f5470ffe0bc1fffc
Instruction Fuzzy Hash: 45116D71900118BEEB11EFA5DE59AAEBAB4AF54318F10443FF504B61C1C7B98E419A58

Function 00405EF8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406521: lstrcpynW.KERNEL32(?,?,00000400,0040366E,00428A20,NSIS Error,?,00000008,0000000A,0000000C), ref: 0040652E

Part of subcall function 00405E9B: CharNextW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,?,00405F0F,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C4D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405EA9
Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EAE
Part of subcall function 00405E9B: CharNextW.USER32(00000000), ref: 00405EC6

lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C4D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405F51
GetFileAttributesW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,00000000,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C4D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\), ref: 00405F61

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405EF8
C:\Users\user~1\AppData\Local\Temp\nss458C.tmp, xrefs: 00405EFE, 00405F03, 00405F09, 00405F4A, 00405F50, 00405F58, 00405F60

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user~1\AppData\Local\Temp\nss458C.tmp
API String ID: 3248276644-944238664
Opcode ID: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
Instruction ID: 4f97f4adca9055af25af7ef058e1e83d315c20be799ec2f088cafe79a8eb74c9
Opcode Fuzzy Hash: db39f955a116f1e539d990513461dc7a207fa728de065fffbfa736c70f2b9a34
Instruction Fuzzy Hash: DAF0F435115E5326D622323A2C49AAF1A05CEC2324B55453FF891B22C2DF3C89538DBE

Function 00405E9B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,?,00405F0F,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,C:\Users\user~1\AppData\Local\Temp\nss458C.tmp,771B3420,?,C:\Users\user~1\AppData\Local\Temp\,00405C4D,?,771B3420,C:\Users\user~1\AppData\Local\Temp\,"C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe"), ref: 00405EA9
CharNextW.USER32(00000000), ref: 00405EAE
CharNextW.USER32(00000000), ref: 00405EC6

Strings

C:\Users\user~1\AppData\Local\Temp\nss458C.tmp, xrefs: 00405E9C

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp
API String ID: 3213498283-4219337211
Opcode ID: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction ID: c4cc3313bff2df52cb6c0caf4e8c88866a305d48728ab5da0ab5d468dade8cef
Opcode Fuzzy Hash: a019630038ff328a8ec37a6ad8a5e0fa1ea3fa9b42c133706ff5938ffc5cdd25
Instruction Fuzzy Hash: E4F0F631910F2595DA317764CC44E7766B8EB54351B00803BD282B36C1DBF88A819FEA

Function 00405DF0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,004034E9,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405DF6
CharPrevW.USER32(?,00000000,?,C:\Users\user~1\AppData\Local\Temp\,004034E9,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,004037E6,?,00000008,0000000A,0000000C), ref: 00405E00
lstrcatW.KERNEL32(?,0040A014,?,00000008,0000000A,0000000C,?,?,?,?,?,?,?,?), ref: 00405E12

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405DF0

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction ID: dcf52917e326d6ada13c2a72ecce68a7b96b6e8782615359caad44c872c99b85
Opcode Fuzzy Hash: 1ad634ba4b40e47f3a67f9c69e663da68b942b7adec5edae9754e9c2c01f4b37
Instruction Fuzzy Hash: EBD05EB1101634AAC2116B48AC04CDF62AC9E86704381402AF141B20A6C7785D6296ED

Function 701C10E1 Relevance: 6.4, APIs: 5, Instructions: 145memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 701C1171
GlobalAlloc.KERNEL32(00000040,?), ref: 701C11E3
GlobalFree.KERNEL32 ref: 701C124A
GlobalFree.KERNEL32(?), ref: 701C129B
GlobalFree.KERNEL32(00000000), ref: 701C12B1

Memory Dump Source

Source File: 00000000.00000002.3732328148.00000000701C1000.00000020.00000001.01000000.00000004.sdmp, Offset: 701C0000, based on PE: true

Associated: 00000000.00000002.3732308554.00000000701C0000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732344875.00000000701C4000.00000002.00000001.01000000.00000004.sdmpDownload File
Associated: 00000000.00000002.3732362879.00000000701C6000.00000002.00000001.01000000.00000004.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_701c0000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: a0b4d21306e992031b4c9411e066762e5f2d75c99c6aec7f0a11c5410cba7ee5
Instruction ID: ee34be766da49b1eaeb505768981bd721aeb1dcb5202218d5e49cbba40145b37
Opcode Fuzzy Hash: a0b4d21306e992031b4c9411e066762e5f2d75c99c6aec7f0a11c5410cba7ee5
Instruction Fuzzy Hash: F4519FBA580201DFD700CF69C855B6B7BB8FB26315B264129FA06DBB20E774ED60CB50

Function 00402643 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 65stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll), ref: 0040269A

Strings

C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll, xrefs: 0040265E, 00402683, 00402695, 004026E1
C:\Users\user~1\AppData\Local\Temp\nss458C.tmp, xrefs: 00402688

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\nss458C.tmp$C:\Users\user~1\AppData\Local\Temp\nss458C.tmp\System.dll
API String ID: 1659193697-731789202
Opcode ID: 34c7efb81093797c11027e5546ec3e843140785abad449b49019a9492c78efcd
Instruction ID: 24c820640bf83c35ca015f911653a3ecbd9f7363fc1a8715c972f2d02b23d4ac
Opcode Fuzzy Hash: 34c7efb81093797c11027e5546ec3e843140785abad449b49019a9492c78efcd
Instruction Fuzzy Hash: 11113A72A40311BBCB00BBB19E46EAE36709F50748F60443FF402F61C0D6FD4991565E

Function 0040301E Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,004031FC,00000001), ref: 00403031
GetTickCount.KERNEL32 ref: 0040304F
CreateDialogParamW.USER32(0000006F,00000000,00402F98,00000000), ref: 0040306C
ShowWindow.USER32(00000000,00000005), ref: 0040307A

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 1f524868e2ec5e9a115d67c2f52ec07950574c6e8f58c79c8196e6c31eccfe04
Instruction ID: fc94ebd698381dfc42c8ec832a7b78cf8da54aaf5e1058e2af7a384a9ccf94d3
Opcode Fuzzy Hash: 1f524868e2ec5e9a115d67c2f52ec07950574c6e8f58c79c8196e6c31eccfe04
Instruction Fuzzy Hash: 0FF05471602621ABC6306F50BD08A9B7E69FB44B53F41087AF045B11A9CB7548828B9C

Function 0040551A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405549
CallWindowProcW.USER32(?,?,?,?), ref: 0040559A

Part of subcall function 004044EC: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004044FE

Strings

, xrefs: 0040552A

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
Instruction ID: 85372f17a9103eb01fcdfd8a19690b8d052d76dd043ca16804f8a0d8951f02ed
Opcode Fuzzy Hash: 8a6e7ab2b2ebc920f12c2d5b2b2096f2e9954bb0ec9a095f665350d4b71d8349
Instruction Fuzzy Hash: 53017171200609BFDF309F51DD80AAB362AFB84750F540437FA047A1D5C7B98D52AE69

Function 00403B5E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,771B3420,00000000,C:\Users\user~1\AppData\Local\Temp\,00403B36,00403A4C,?,?,00000008,0000000A,0000000C), ref: 00403B78
GlobalFree.KERNEL32(0064F920), ref: 00403B7F

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403B5E

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1100898210-2382934351
Opcode ID: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
Instruction ID: 6899552f53244e150386b1952d758f3f927a5bb415edc3c38dc9ad64461d36a3
Opcode Fuzzy Hash: 628ac1cb43285a1a84ac4c7f875ed8910a03c7a164280e3efa8a6a131abbe062
Instruction Fuzzy Hash: 59E08C3250102057CA211F05ED04B1AB7B8AF45B27F06452AE8407B26287B42C838FD8

Function 00405E3C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,80000000,00000003), ref: 00405E42
CharPrevW.USER32(80000000,00000000,80000000,C:\Users\user\Desktop,004030EE,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,C:\Users\user\Desktop\D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe,80000000,00000003), ref: 00405E52

Strings

C:\Users\user\Desktop, xrefs: 00405E3C

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3976562730
Opcode ID: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction ID: eba18341e72c17137544591cfc51a7e4cac6184970473274e9d14fc4341c5a90
Opcode Fuzzy Hash: 4d9a109f9f2e29ac56c0736ccbd4fa6bf3a04a93e1f4050107f2eb61dc35f761
Instruction Fuzzy Hash: 29D0A7F3400A30DAC3127708EC00D9F77ACEF16700746443AE580A7165D7785D818AEC

Function 00405F76 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405F86
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405F9E
CharNextA.USER32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FAF
lstrlenA.KERNEL32(00000000,?,00000000,0040625B,00000000,[Rename],00000000,00000000,00000000,?,?,?,?), ref: 00405FB8

Memory Dump Source

Source File: 00000000.00000002.3730327161.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3730308677.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730345197.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000425000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730364224.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3730459254.000000000044C000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction ID: baa81b9806bcf2d0018ef5e19b9a589e3df5f1c452cb3fab7a363fd504aebd5e
Opcode Fuzzy Hash: 2e04212541fd7d2d0fc4f715182178ccf0de62a07a1c27cf83518a5c6c9cf375
Instruction Fuzzy Hash: 87F0C231105914EFCB029BA5CE00D9EBFA8EF15254B2100BAE840F7250D638DE019BA8

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\nss458C.tmp\System.dll

C:\Users\user\polaritets\Brugerudtalelsen30.Pan

C:\Users\user\polaritets\Cronstedtite.Blo187

C:\Users\user\polaritets\Observationsposters.tor

C:\Users\user\polaritets\drupes.ret

C:\Users\user\polaritets\quodlibetic.fes

C:\Users\user\polaritets\roere.hid

C:\Users\user\polaritets\socialmedicin.sej

C:\Users\user\polaritets\toader.txt

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Windows Analysis Report
D#U00dcZELT#U0130LD#U0130 S#U00d6ZLE#U015eME-pdf.bat.exe

Function 004034FC Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 464
stringfilecomCOMMON

Function 004056E5 Relevance: 65.0, APIs: 36, Strings: 1, Instructions: 284
windowclipboardmemoryCOMMON

Function 00405C2D Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 148
filestringCOMMON

Function 00403FA1 Relevance: 51.4, APIs: 34, Instructions: 357
windowstringCOMMON

Function 00403BF3 Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00403082 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 0040655E Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 204
stringCOMMON

Function 00401774 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 145
stringtimeCOMMON

Function 004055A6 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 72
stringwindowCOMMON

Function 004026F1 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 153
fileCOMMON

Function 004032B9 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 155
COMMON

Function 004068A5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 36
libraryCOMMON

Function 00402EAE Relevance: 7.6, APIs: 5, Instructions: 84
registryCOMMON

Function 701C1817 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00406040 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37
COMMON