Source: -pdf.bat.exe |
ReversingLabs: Detection: 36% |
Source: -pdf.bat.exe |
Virustotal: Detection: 57% |
Perma Link |
Source: Submited Sample |
Integrated Neural Analysis Model: Matched 98.9% probability |
Source: -pdf.bat.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: -pdf.bat.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_0040682E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_0040682E |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_004066E4 FindFirstFileW,FindClose, |
0_2_004066E4 |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_00402B75 FindFirstFileW, |
0_2_00402B75 |
Source: -pdf.bat.exe |
String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_00404C33 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard, |
0_2_00404C33 |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Process Stats: CPU usage > 49% |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_00403804 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, |
0_2_00403804 |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_00404521 |
0_2_00404521 |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_00407235 |
0_2_00407235 |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_70442351 |
0_2_70442351 |
Source: -pdf.bat.exe, 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmp |
Binary or memory string: OriginalFilenamesloffens.exeDVarFileInfo$ vs -pdf.bat.exe |
Source: -pdf.bat.exe |
Binary or memory string: OriginalFilenamesloffens.exeDVarFileInfo$ vs -pdf.bat.exe |
Source: -pdf.bat.exe |
Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE |
Source: classification engine |
Classification label: mal68.troj.evad.winEXE@1/7@0/0 |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_00403804 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, |
0_2_00403804 |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_00404188 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,EnableWindow, |
0_2_00404188 |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_0040234F CoCreateInstance, |
0_2_0040234F |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
File created: C:\Users\user\AppData\Local\Anvilled |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
File created: C:\Users\user~1\AppData\Local\Temp\nslF5A9.tmp |
Jump to behavior |
Source: -pdf.bat.exe |
Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
File read: C:\Users\desktop.ini |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers |
Jump to behavior |
Source: -pdf.bat.exe |
ReversingLabs: Detection: 36% |
Source: -pdf.bat.exe |
Virustotal: Detection: 57% |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
File read: C:\Users\user\Desktop\-pdf.bat.exe |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: uxtheme.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: userenv.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: apphelp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: propsys.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: dwmapi.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: cryptbase.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: oleacc.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: ntmarta.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: version.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: shfolder.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: kernel.appcore.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: windows.storage.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: wldp.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: riched20.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: usp10.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: msls31.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: textshaping.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: textinputframework.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: coreuicomponents.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: coremessaging.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Section loaded: wintypes.dll |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 |
Jump to behavior |
Source: -pdf.bat.exe |
Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE |
Source: Yara match |
File source: 00000000.00000002.3780975442.00000000054C5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_70442351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_70442351 |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
File created: C:\Users\user\AppData\Local\Temp\nsk89.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
RDTSC instruction interceptor: First address: 58016BE second address: 58016BE instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F5F6C51E543h 0x00000006 cmp ah, 00000006h 0x00000009 inc ebp 0x0000000a test bl, bl 0x0000000c inc ebx 0x0000000d test bh, bh 0x0000000f rdtsc |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk89.tmp\System.dll |
Jump to dropped file |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Evaded block: after key decision |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_0040682E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose, |
0_2_0040682E |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_004066E4 FindFirstFileW,FindClose, |
0_2_004066E4 |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_00402B75 FindFirstFileW, |
0_2_00402B75 |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
API call chain: ExitProcess graph end node |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_70442351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW, |
0_2_70442351 |
Source: C:\Users\user\Desktop\-pdf.bat.exe |
Code function: 0_2_00403804 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx, |
0_2_00403804 |