Edit tour

Windows Analysis Report
-pdf.bat.exe

Overview

General Information

Sample name:	-pdf.bat.exe renamed because original name is a hash value
Original sample name:	SZLEME ARTLARI (YEN SPAR SZLEMES)-pdf.bat.exe
Analysis ID:	1525544
MD5:	c8c2fa1b682b0bca8ed9de83455e8977
SHA1:	ff96ea1f052d0e7745a4fe30bacb8362ea57ba2c
SHA256:	4af23250a740fc8e855879c8f0492b8be3613ef015db4347d14885f57e25ee93
Tags:	batexegeoGuLoaderTURuser-abuse_ch
Infos:

Detection

GuLoader

Score:	68
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

Yara detected GuLoader

AI detected suspicious sample

Machine Learning detection for sample

Tries to detect virtualization through RDTSC time measurements

Abnormal high CPU Usage

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to shutdown / reboot the system

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found evaded block containing many API calls

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Classification

Process Tree

System is w10x64

-pdf.bat.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\-pdf.bat.exe" MD5: C8C2FA1B682B0BCA8ED9DE83455E8977)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CloudEyE, GuLoader	CloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.	No Attribution	http://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bluebottle-banks-targeted-africa https://0x00sec.org/t/analyzing-modern-malware-techniques-part-3/18943 https://any.run/cybersecurity-blog/deobfuscating-guloader/ https://asec.ahnlab.com/en/55978/ https://blog.checkpoint.com/security/march-2023s-most-wanted-malware-new-emotet-campaign-bypasses-microsoft-blocks-to-distribute-malicious-onenote-files/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Yara Signatures

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000002.3780975442.00000000054C5000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: -pdf.bat.exe	ReversingLabs: Detection: 36%
Source: -pdf.bat.exe	Virustotal: Detection: 57%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 98.9% probability

Machine Learning detection for sample

Source: -pdf.bat.exe

Joe Sandbox ML: detected

Source: -pdf.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: -pdf.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\-pdf.bat.exe	Code function: 0_2_0040682E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040682E
Source: C:\Users\user\Desktop\-pdf.bat.exe	Code function: 0_2_004066E4 FindFirstFileW,FindClose,	0_2_004066E4
Source: C:\Users\user\Desktop\-pdf.bat.exe	Code function: 0_2_00402B75 FindFirstFileW,	0_2_00402B75

Source: -pdf.bat.exe

String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError

Source: C:\Users\user\Desktop\-pdf.bat.exe

Code function: 0_2_00404C33 GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,GetClientRect,GetSystemMetrics,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,ShowWindow,ShowWindow,GetDlgItem,SendMessageW,SendMessageW,SendMessageW,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,ShowWindow,ShowWindow,SendMessageW,CreatePopupMenu,AppendMenuW,GetWindowRect,TrackPopupMenu,SendMessageW,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageW,GlobalUnlock,SetClipboardData,CloseClipboard,

0_2_00404C33

Source: C:\Users\user\Desktop\-pdf.bat.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\-pdf.bat.exe

Code function: 0_2_00403804 EntryPoint,SetErrorMode,GetVersionExW,GetVersionExW,GetVersionExW,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,

0_2_00403804

Source: C:\Users\user\Desktop\-pdf.bat.exe	Code function: 0_2_00404521	0_2_00404521
Source: C:\Users\user\Desktop\-pdf.bat.exe	Code function: 0_2_00407235	0_2_00407235
Source: C:\Users\user\Desktop\-pdf.bat.exe	Code function: 0_2_70442351	0_2_70442351

Source: -pdf.bat.exe, 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesloffens.exeDVarFileInfo$ vs -pdf.bat.exe
Source: -pdf.bat.exe	Binary or memory string: OriginalFilenamesloffens.exeDVarFileInfo$ vs -pdf.bat.exe

Source: -pdf.bat.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal68.troj.evad.winEXE@1/7@0/0

Source: C:\Users\user\Desktop\-pdf.bat.exe

0_2_00403804

Source: C:\Users\user\Desktop\-pdf.bat.exe

Code function: 0_2_00404188 GetDlgItem,SetWindowTextW,SHBrowseForFolderW,CoTaskMemFree,lstrcmpiW,lstrcatW,SetDlgItemTextW,GetDiskFreeSpaceW,MulDiv,SetDlgItemTextW,EnableWindow,

0_2_00404188

Source: C:\Users\user\Desktop\-pdf.bat.exe

Code function: 0_2_0040234F CoCreateInstance,

0_2_0040234F

Source: C:\Users\user\Desktop\-pdf.bat.exe

File created: C:\Users\user\AppData\Local\Anvilled

Jump to behavior

Source: C:\Users\user\Desktop\-pdf.bat.exe

File created: C:\Users\user~1\AppData\Local\Temp\nslF5A9.tmp

Jump to behavior

Source: -pdf.bat.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\-pdf.bat.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\-pdf.bat.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: -pdf.bat.exe	ReversingLabs: Detection: 36%
Source: -pdf.bat.exe	Virustotal: Detection: 57%

Source: C:\Users\user\Desktop\-pdf.bat.exe

File read: C:\Users\user\Desktop\-pdf.bat.exe

Jump to behavior

Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: shfolder.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: riched20.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: usp10.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\-pdf.bat.exe	Section loaded: wintypes.dll	Jump to behavior

Source: C:\Users\user\Desktop\-pdf.bat.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: -pdf.bat.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Data Obfuscation

Yara detected GuLoader

Source: Yara match

File source: 00000000.00000002.3780975442.00000000054C5000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\-pdf.bat.exe

Code function: 0_2_70442351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_70442351

Source: C:\Users\user\Desktop\-pdf.bat.exe

File created: C:\Users\user\AppData\Local\Temp\nsk89.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\-pdf.bat.exe

Process information set: NOOPENFILEERRORBOX

Jump to behavior

Malware Analysis System Evasion

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\-pdf.bat.exe

RDTSC instruction interceptor: First address: 58016BE second address: 58016BE instructions: 0x00000000 rdtsc 0x00000002 cmp ebx, ecx 0x00000004 jc 00007F5F6C51E543h 0x00000006 cmp ah, 00000006h 0x00000009 inc ebp 0x0000000a test bl, bl 0x0000000c inc ebx 0x0000000d test bh, bh 0x0000000f rdtsc

Source: C:\Users\user\Desktop\-pdf.bat.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsk89.tmp\System.dll

Jump to dropped file

Source: C:\Users\user\Desktop\-pdf.bat.exe

Evaded block: after key decision

graph_0-4428

Source: C:\Users\user\Desktop\-pdf.bat.exe	Code function: 0_2_0040682E GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,	0_2_0040682E
Source: C:\Users\user\Desktop\-pdf.bat.exe	Code function: 0_2_004066E4 FindFirstFileW,FindClose,	0_2_004066E4
Source: C:\Users\user\Desktop\-pdf.bat.exe	Code function: 0_2_00402B75 FindFirstFileW,	0_2_00402B75

Source: C:\Users\user\Desktop\-pdf.bat.exe

API call chain: ExitProcess graph end node

graph_0-4319

Source: C:\Users\user\Desktop\-pdf.bat.exe

Code function: 0_2_70442351 GlobalFree,GlobalAlloc,lstrcpyW,lstrcpyW,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GlobalFree,GetModuleHandleW,LoadLibraryW,GetProcAddress,lstrlenW,

0_2_70442351

Source: C:\Users\user\Desktop\-pdf.bat.exe

0_2_00403804

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Native API	1 DLL Side-Loading	1 Access Token Manipulation	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	1 System Shutdown/Reboot
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Access Token Manipulation	LSASS Memory	2 File and Directory Discovery	Remote Desktop Protocol	1 Clipboard Data	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	1 DLL Side-Loading	Security Account Manager	13 System Information Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
-pdf.bat.exe	37%	ReversingLabs	Win32.Trojan.Guloader
-pdf.bat.exe	58%	Virustotal		Browse
-pdf.bat.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\nsk89.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\nsk89.tmp\System.dll	1%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
s-part-0017.t-0009.fb-t-msedge.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://nsis.sf.net/NSIS_ErrorError	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.fb-t-msedge.net	13.107.253.45	true	false	0%, Virustotal, Browse	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nsis.sf.net/NSIS_ErrorError	-pdf.bat.exe	false	URL Reputation: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1525544
Start date and time:	2024-10-04 11:20:08 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 34s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	7
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	-pdf.bat.exe renamed because original name is a hash value
Original Sample Name:	SZLEME ARTLARI (YEN SPAR SZLEMES)-pdf.bat.exe
Detection:	MAL
Classification:	mal68.troj.evad.winEXE@1/7@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 100% Number of executed functions: 38 Number of non-executed functions: 32
Cookbook Comments:	Found application associated with file extension: .exe Override analysis time to 240s for sample files taking high CPU consumption

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe
Excluded domains from analysis (whitelisted): azurefd-t-fb-prod.trafficmanager.net, slscr.update.microsoft.com, otelrules.azureedge.net, otelrules.afd.azureedge.net, 4.8.2.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.0.2.0.c.0.0.3.0.1.3.0.6.2.ip6.arpa, ctldl.windowsupdate.com, azureedge-t-prod.trafficmanager.net, time.windows.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s-part-0017.t-0009.fb-t-msedge.net	https://wvr4dgzxxavl6jjpq7rl.igortsaplin.pro/WFzFCiNx	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	http://bernas-medical-com.powerappsportals.com	Get hash	malicious	Unknown	Browse	13.107.253.45
	Notaire-document.html	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://technopro-bg.com/redirect.php?action=url&goto=mairie-espondeilhan.com&osCsid=m24rb0l158b8m36rktotvg5ti2	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	Axactor Microsoft - Introduksjonsm#U00f8te.msg	Get hash	malicious	EvilProxy	Browse	13.107.253.45
	Axactor Microsoft - Introduksjonsm#U00f8te.msg	Get hash	malicious	EvilProxy	Browse	13.107.253.45
	ELECTRONIC RECEIPT_Opcsa.html	Get hash	malicious	EvilProxy, HTMLPhisher	Browse	13.107.253.45
	Message_2477367.eml	Get hash	malicious	Unknown	Browse	13.107.253.45
	https://docs.zoom.us/doc/qMqlDrh-RUWwdmI-mAClTg	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45
	SCAN_Client_No_XP9739270128398468932393.pdf	Get hash	malicious	HTMLPhisher	Browse	13.107.253.45

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\nsk89.tmp\System.dll	#U0421#U041f#U041e#U0420#U0410#U0417#U0423#U041c#U0415#U041d#U0418#U0415-pdf.bat.exe	Get hash	malicious	GuLoader	Browse
	#U0421#U041f#U041e#U0420#U0410#U0417#U0423#U041c#U0415#U041d#U0418#U0415-pdf.bat.exe	Get hash	malicious	GuLoader	Browse
	-pdf.bat.exe	Get hash	malicious	FormBook	Browse
	TERMENII CONTRACTULUI (ACORD NOU#U0102 COMAND#U0102)-pdf.bat.exe	Get hash	malicious	FormBook, GuLoader	Browse
	TERMENII CONTRACTULUI (ACORD NOU#U0102 COMAND#U0102)-pdf.bat.exe	Get hash	malicious	GuLoader	Browse
	-pdf.bat.exe	Get hash	malicious	Unknown	Browse
	f5#U06f6.vbs	Get hash	malicious	FormBook, GuLoader	Browse
	f5#U06f6.vbs	Get hash	malicious	GuLoader	Browse
	Solicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbs	Get hash	malicious	FormBook, GuLoader	Browse
	Solicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbs	Get hash	malicious	GuLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Anvilled\Baadehavnes.Ugo

Download File

Process:	C:\Users\user\Desktop\-pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	153292
Entropy (8bit):	4.599221882863509
Encrypted:	false
SSDEEP:	3072:auH/EMGAIZ02UvVMGQHl0HrpFkCd3/z9M:JHwAIqV4F0HdFk4y
MD5:	D23AF20EF332C55E7E223CFA1FD94252
SHA1:	04E86DCED7945775523BAB1D639B92334CFA327B
SHA-256:	B9C3EDB15E270673ACA6A848033052CD34EBFF7AB54A74ADBAC6C6FC4D8D79A8
SHA-512:	C2CC54BEB5243E62ED5A3FCE30FC624E371B1808C04DCFE96059BC21B4EA2CE3E66A1C6DB402930517704BDA5D2D6D990D5DE6C8028585576791E537E3FEB7F8
Malicious:	false
Reputation:	low
Preview:	.....,......d.........##...k....???...................MM.......::.x............%.V...P...NN.GGGGG.........cccc...pp...........LL............................................f.........................;.W.\....>>......1...ZZ................[........EEEEEEE.........PP..........^......n....((.k......UUU.3.m............=====.......22...{......0..............MMM....,.......2..Z..........QQ....."....................$..,,.........sss....r..~..............m.........).....)).....I.p.........H.v........................6666.__.QQ.......Q............HHH..................5....QQ......TT.B........{{{{.........JJJ........77....................ddd.y..a...,,,,...............//................................D.....~.........,,,.!................kkkkkk.......T.,,,,........C................_.^^^^.-....................RR......v.....!........r....................ww.....Z.........................8.....0.........7......ppp.......%........c......___...........E.g......$$.................................y........

C:\Users\user\AppData\Local\Anvilled\Martyrizations.Sim

Download File

Process:	C:\Users\user\Desktop\-pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	355536
Entropy (8bit):	7.653699193742095
Encrypted:	false
SSDEEP:	6144:UL2HS/TAnZUvR3jz2Fwo5jCBVy7b4tqdG8lI08e9N1lr9ITNdfOHNkX0KVSb:UL2HS/q6vR33A5mzy7bpG6l2TNdfO+Hq
MD5:	9632912516372EEEF829ABBF8D80B755
SHA1:	BD16F3F0049BCD88AFB2582EFDD0DD647E4C11F6
SHA-256:	A4D0A3F7CA09F1D74AB0E5A3A1CB9B4AAC80B482C46EDABAFD9F9873F95A3990
SHA-512:	BCEE99E04CCE817F0D97F8B304838C594704A0D675D34059E773A1D4F5B2FF938ECCC7EEF51E42AF06BA1B759C1AB6C4E9D3FEE493A980B2D74025FD58EBD98E
Malicious:	false
Reputation:	low
Preview:	......SSS...................................................................^^..........[[..............................pp................r....FFFF........FF...........\......44.i.....>..L.......[[.........<<.aa.....(((.LLL..........................1........f.d....X.b...^.f...H...6}"w2F..`.......DT...<lS.1........3.O3......n.'gc...$oK..........V.JC.s.......m.R.......!.Q..W.I..5>.A\.P....+...x....#.u....%.....6M..e..L;.)..-W......h.!.].z_\|i..?dk...../N..=%( 8..4.......o..2..T#0.....E.rB.Y.76..~..p.j.9u:..j[.{...GL..._...f..........1..&.vyq.@.A.Z.at.X.b...^.f...H...6}"w2F..`......g..f.u.....2...DT...<lS.1..O3......n.'gc...$oK..........V.J!......%.s.......m.R+.Q..W.I..5>.A\.P....+....f.c.f....<.x....#.u..M..e..L;.)..-W......h.!.].z_\|i..?dk...../N..=%(..{.T?.......8..4...T#0.....E.rB.Y.76..~..p.f.....f....-.9u:..j[.{...GL..._......&.vyq.@.A.Z.at.X.b ..w...G..^.f...H...6}"w2F..`.......DT...<lS.1..O3......n.'gc...$oK..........E2........!..V.JC.s.......m.R+.Q.

C:\Users\user\AppData\Local\Anvilled\Opsamlingsbeholdere119.bes

Download File

Process:	C:\Users\user\Desktop\-pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	415743
Entropy (8bit):	1.2524422116890421
Encrypted:	false
SSDEEP:	768:r1/VRVN7GaY97mbexftA4Z+RRCLDHuPxfARLhzR+9wBhtOxALX5Wa/5X6dJddvt2:LMxA4/Lf6dHgeGxN37ruZwuLi+OLj
MD5:	A6B0286190FF25673A5BBCCA3E635E17
SHA1:	B50D863E08054654434EEEAD618AE36D66F5AD59
SHA-256:	2587546927274A33BE48C542AD1B98E07DF0C2A8503AFBC1F260EBEC1CB13EDE
SHA-512:	1F9C0F6CD3BE6F79168BBD9B07931181CAE135D144DA4E569191E42BF66C5AF0BE49C894E1608A4C45C3BE38DFD47EB912CBA4DADB660A688474B1A3F2ACC72E
Malicious:	false
Reputation:	low
Preview:	.........................................................................................................................................F....................i..........C...................................................X.............................................................._.................0...........(...............................S...............................?.............(................Z..............................."....................................................B...................;...........................................................................................................(..e...........A.........................................@............................f...............................................h.F............Q......................................................................W...............r..................D..D......4............................................................................U..........J....................._..

C:\Users\user\AppData\Local\Anvilled\ammunitionsfabrikken.txt

Download File

Process:	C:\Users\user\Desktop\-pdf.bat.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	624
Entropy (8bit):	4.25510206166015
Encrypted:	false
SSDEEP:	12:jXkvaDziGwRUF27KIqXVskejAECJX7lIHLGsvxAtbH1PIwp5Ayq1Bglj4UriJxMJ:jErRUWOjEM7lYLj5AtbB1Bq1U8hJxMJ
MD5:	87F4B14CCA6F39D1C934F93B13234749
SHA1:	9FCDD0EAD74EE185F49409E0FFE86B1925CC6F77
SHA-256:	E619E25D31210DED72B4DBAE631948D4335AEAE318148E864421457EF0F4ACE9
SHA-512:	13DB40313FEF1FDEB1D517E0664B7766328DD7DC7244741FF6B6EAE62C6D0BA5EE458E058375C466C9CB6062E0D7DCC3EC3F57310604A7372F79839ACAFE9471
Malicious:	false
Reputation:	low
Preview:	dambrttets talentlseres hytteholds indtgtstabets udsondringernes wimp panickiness.perknite equibiradiate silverleaves abolitionising apotheosise serphidae eksempellses rochester fllesfagslreren..forvindet diligence staring anklagerne facades udgrftning klausulelimineringens.synchytrium listiges solsortredens sitarists encyclopedize femogfyrre sphagnummen pervertible pantomorphic polyprotic restress unwesternised udbudsmaterialets..canepin flipperen biogas trenchcoaters populreres abnormalise gult boks fejlsgningernes skakbrikken petromyzon knirkeriers rubiate..digteren adephagia laantagerens mariposite trop octylene,

C:\Users\user\AppData\Local\Anvilled\teleph.all

Download File

Process:	C:\Users\user\Desktop\-pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	315351
Entropy (8bit):	1.2455738850105664
Encrypted:	false
SSDEEP:	768:kFtpdTjsz/zhmhiCGrJI7rqVQuEB7QCGqvL2f0SQ1E2IC67MpqrchPadg+nlwAGP:mPGDDdQxvn1Xmrizhj8H3hE3MA
MD5:	6957AC2FFFF57F658F70A8608C653D42
SHA1:	A6764FE4F4FCDD48C73CB23CCCA9CE19E2845935
SHA-256:	480D36CF0DE68BEAE5F1ED80A81AEE327BBA323C7B01A478E5D41BF429041F02
SHA-512:	0B2575BDBB7DE38A6D5C2D1D5C8641EC7A65F9F05E2DA8CFAD8F09CE47C31EEEA70C891A8A42A4842F27215DEDDB69357DE9293D57C5ECFB19CC6007B1042505
Malicious:	false
Reputation:	low
Preview:	.................^......... ..............`............3].......................................................C......................................................................o......i..............................B.......c.F....=T..'..........................................U.....m..............*...................K............?................................................................{...............................................j...L.....................................................2x...........................?a.............G.............<.............................................................................".......:............................1......$......+......................R.......................................[.................i............S..../...........................A............................................n................................@....?..................].......2.............................a....................................

C:\Users\user\AppData\Local\Temp\nsbF5BA.tmp

Download File

Process:	C:\Users\user\Desktop\-pdf.bat.exe
File Type:	data
Category:	dropped
Size (bytes):	1261154
Entropy (8bit):	3.9929201101659686
Encrypted:	false
SSDEEP:	12288:JL2HS/q6vR33A5mzy7bpG6l2TNdfO+H43XREQABQtA:JL2HS/q6vR33GBpBudfO+H4REqA
MD5:	4D77A418A8F9BFDCDBD2B26F15848997
SHA1:	AF869D4286FA53A89970DF3156A751CF49CB3900
SHA-256:	394529DBCFA73228F23C44F66C7145984D7A05F9EED3355C9631E90C1F1ED39E
SHA-512:	B49E73977D05796EE21671644BC0739EFABC03F328C8AFA0659EDF588207EF5687A70F18D374A5576790E9CBFB32E5F71B462CD4BAA49E624100DB41E9C00755
Malicious:	false
Reputation:	low
Preview:	d ......,...................o...................d ............................................................/.............................................................................................................................................................................G...J...............j...........................................................................................................................................E...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\nsk89.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\-pdf.bat.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	modified
Size (bytes):	12288
Entropy (8bit):	5.9764977667479
Encrypted:	false
SSDEEP:	192:CVA1YOTDExj7EFrYCT4E8y3hoSdtTgwF43E7QbGPXI9uIc6w79Mw:CrR7SrtTv53tdtTgwF4SQbGPX36wJMw
MD5:	D968CB2B98B83C03A9F02DD9B8DF97DC
SHA1:	D784C9B7A92DCE58A5038BEB62A48FF509E166A0
SHA-256:	A4EC98011EF99E595912718C1A1BF1AA67BFC2192575729D42F559D01F67B95C
SHA-512:	2EE41DC68F329A1519A8073ECE7D746C9F3BF45D8EF3B915DEB376AF37E26074134AF5F83C8AF0FE0AB227F0D1ACCA9F37E5CA7AE37C46C3BCC0331FE5E2B97E
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 1%, Browse
Joe Sandbox View:	Filename: #U0421#U041f#U041e#U0420#U0410#U0417#U0423#U041c#U0415#U041d#U0418#U0415-pdf.bat.exe, Detection: malicious, Browse Filename: #U0421#U041f#U041e#U0420#U0410#U0417#U0423#U041c#U0415#U041d#U0418#U0415-pdf.bat.exe, Detection: malicious, Browse Filename: -pdf.bat.exe, Detection: malicious, Browse Filename: TERMENII CONTRACTULUI (ACORD NOU#U0102 COMAND#U0102)-pdf.bat.exe, Detection: malicious, Browse Filename: TERMENII CONTRACTULUI (ACORD NOU#U0102 COMAND#U0102)-pdf.bat.exe, Detection: malicious, Browse Filename: -pdf.bat.exe, Detection: malicious, Browse Filename: f5#U06f6.vbs, Detection: malicious, Browse Filename: f5#U06f6.vbs, Detection: malicious, Browse Filename: Solicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbs, Detection: malicious, Browse Filename: Solicitud de Cotizaci#U00f3n #U2013 Cat#U00e1logo de Muestras2024.vbs, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......7@t.s!..s!..s!..!T..t!..8Y..t!..s!..g!...T..w!...T..r!...T..r!...T..r!..Richs!..........................PE..L....c.........."!.....$..........J........@...............................p............@..........................@.......A..P............................`.......................................................@..X............................text...{".......$.................. ..`.rdata.......@.......(..............@..@.data...D....P.......,..............@....reloc.......`......................@..B........................................................................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	7.064447166020408
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	-pdf.bat.exe
File size:	915'912 bytes
MD5:	c8c2fa1b682b0bca8ed9de83455e8977
SHA1:	ff96ea1f052d0e7745a4fe30bacb8362ea57ba2c
SHA256:	4af23250a740fc8e855879c8f0492b8be3613ef015db4347d14885f57e25ee93
SHA512:	d692404d369b4755e760599a50078f0240dd3a5af2af5953ad86d00eaa788c812bed59b22f19c1251bdd192a8d81a10c4d10ec9cc6a15b1e7a44bfb51c20c258
SSDEEP:	24576:ZFZsHTO9u9XKhrmod1RYTy7OQJs+45oi4:Z3n9i61RYeiQJBGf4
TLSH:	1315DF0BACD4CADECA2CB1F2D937C8301D256D6998B0475E6974B6847076B97ED0F82C
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3.;!wuUrwuUrwuUr<.QsuuUr<.SsvuUr<.TsxuUrwuTr.uUr..Qs\|uUr...rvuUr..WsvuUrRichwuUr........................PE..L...*..c...........

File Icon


Icon Hash:	070911614d3d3117

Static PE Info

General

Entrypoint:	0x403804
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x63A18D2A [Tue Dec 20 10:23:38 2022 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	84062c623770f0d888e4ca58451aa7ad

Entrypoint Preview

Instruction
sub esp, 000003F0h
push ebx
push ebp
push esi
push edi
xor ebx, ebx
mov edi, 004084F8h
push 00008001h
mov ebp, ebx
mov dword ptr [esp+14h], ebx
call dword ptr [004080B8h]
mov esi, dword ptr [004080A8h]
lea eax, dword ptr [esp+30h]
xorps xmm0, xmm0
mov dword ptr [esp+44h], ebx
push eax
movlpd qword ptr [esp+00000148h], xmm0
mov dword ptr [esp+34h], 0000011Ch
call esi
test eax, eax
jne 00007F5F6C8B6109h
lea eax, dword ptr [esp+30h]
mov dword ptr [esp+30h], 00000114h
push eax
call esi
push 00000053h
pop eax
mov dl, 04h
mov byte ptr [esp+0000014Ah], dl
cmp word ptr [esp+44h], ax
jne 00007F5F6C8B60E3h
mov eax, dword ptr [esp+5Eh]
add eax, FFFFFFD0h
mov word ptr [esp+00000144h], ax
jmp 00007F5F6C8B60DDh
xor eax, eax
jmp 00007F5F6C8B60C4h
mov dl, byte ptr [esp+0000014Ah]
cmp dword ptr [esp+34h], 0Ah
jnc 00007F5F6C8B60DDh
movzx eax, word ptr [esp+3Ch]
mov dword ptr [esp+3Ch], eax
jmp 00007F5F6C8B60D6h
mov eax, dword ptr [esp+3Ch]
mov dword ptr [00429E38h], eax
movzx eax, byte ptr [esp+34h]
shl ax, 0008h
movzx ecx, ax
movzx eax, byte ptr [esp+38h]
or ecx, eax
movzx eax, byte ptr [esp+00000144h]
shl ax, 0008h
shl ecx, 10h
movzx eax, word ptr [eax]

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x8a20	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4e000	0x5b2b0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x6dab	0x6e00	1138756712947cfad0fec340a9f6322a	False	0.6540127840909091	data	6.396661733193989	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x1894	0x1a00	f104cfd27821b85fded983903a163042	False	0.4299879807692308	data	4.867236374474069	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x1fe40	0x200	9a0317be14b12529a14c33f8334a2225	False	0.2265625	data	1.7566060613591612	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x2a000	0x24000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x4e000	0x5b2b0	0x5b400	43b3182ad5c6e9878a85fabd0388831e	False	0.3067208904109589	data	4.845999503948363	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x4e2f8	0x42028	Device independent bitmap graphic, 256 x 512 x 32, image size 270336	English	United States	0.28078305766784034
RT_ICON	0x90320	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 67584	English	United States	0.3406926534958003
RT_ICON	0xa0b48	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	English	United States	0.42973547472838924
RT_ICON	0xa4d70	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	English	United States	0.46763485477178424
RT_ICON	0xa7318	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	English	United States	0.5314258911819888
RT_ICON	0xa83c0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	English	United States	0.650709219858156
RT_DIALOG	0xa8828	0x100	data	English	United States	0.5234375
RT_DIALOG	0xa8928	0x11c	data	English	United States	0.6056338028169014
RT_DIALOG	0xa8a48	0xc4	data	English	United States	0.5918367346938775
RT_DIALOG	0xa8b10	0x60	data	English	United States	0.7291666666666666
RT_GROUP_ICON	0xa8b70	0x5a	data	English	United States	0.7555555555555555
RT_VERSION	0xa8bd0	0x2b0	data	English	United States	0.4883720930232558
RT_MANIFEST	0xa8e80	0x42e	XML 1.0 document, ASCII text, with very long lines (1070), with no line terminators	English	United States	0.5149532710280373

Imports

DLL	Import
ADVAPI32.dll	RegCloseKey, RegDeleteKeyW, RegDeleteValueW, RegEnumKeyW, RegEnumValueW, RegQueryValueExW, RegSetValueExW, OpenProcessToken, AdjustTokenPrivileges, LookupPrivilegeValueW, SetFileSecurityW, RegCreateKeyExW, RegOpenKeyExW
SHELL32.dll	SHFileOperationW, SHBrowseForFolderW, SHGetPathFromIDListW, SHGetFileInfoW, ShellExecuteExW
ole32.dll	OleInitialize, OleUninitialize, CoTaskMemFree, IIDFromString, CoCreateInstance
COMCTL32.dll	ImageList_Destroy, ImageList_AddMasked, ImageList_Create
USER32.dll	PeekMessageW, DispatchMessageW, wsprintfA, SystemParametersInfoW, SetClassLongW, GetWindowLongW, GetSysColor, ScreenToClient, SetCursor, GetWindowRect, TrackPopupMenu, AppendMenuW, EnableMenuItem, CreatePopupMenu, GetSystemMenu, GetSystemMetrics, IsWindowEnabled, EmptyClipboard, SetClipboardData, CloseClipboard, OpenClipboard, CheckDlgButton, EndDialog, DialogBoxParamW, IsWindowVisible, SetWindowPos, CreateWindowExW, GetClassInfoW, SetDlgItemTextW, CallWindowProcW, GetMessagePos, CharNextW, ExitWindowsEx, SetWindowTextW, SetTimer, CreateDialogParamW, DestroyWindow, LoadImageW, FindWindowExW, SetWindowLongW, InvalidateRect, ReleaseDC, GetDC, SetForegroundWindow, EnableWindow, GetDlgItem, ShowWindow, IsWindow, PostQuitMessage, SendMessageTimeoutW, SendMessageW, wsprintfW, FillRect, GetClientRect, EndPaint, BeginPaint, DrawTextW, DefWindowProcW, GetDlgItemTextW, CharNextA, CharPrevW, RegisterClassW, MessageBoxIndirectW, LoadCursorW
GDI32.dll	SetBkMode, CreateBrushIndirect, GetDeviceCaps, SelectObject, DeleteObject, SetBkColor, SetTextColor, CreateFontIndirectW
KERNEL32.dll	GetLastError, WaitForSingleObject, GetExitCodeProcess, RemoveDirectoryW, GetTempFileNameW, CreateDirectoryW, WideCharToMultiByte, lstrlenW, lstrcpynW, GlobalLock, GlobalUnlock, CreateThread, GetDiskFreeSpaceW, CopyFileW, GetVersionExW, GetWindowsDirectoryW, ExitProcess, GetCurrentProcess, SetErrorMode, CreateProcessW, SetEnvironmentVariableW, GetCommandLineW, GetModuleFileNameW, GetTickCount, GetFileSize, CreateFileW, MultiByteToWideChar, MoveFileW, WritePrivateProfileStringW, GetPrivateProfileStringW, lstrlenA, lstrcmpiW, lstrcmpW, MulDiv, GlobalFree, GlobalAlloc, LoadLibraryExW, GetModuleHandleW, FreeLibrary, Sleep, CloseHandle, SetFileTime, SetFilePointer, SetFileAttributesW, ReadFile, GetShortPathNameW, GetFullPathNameW, GetFileAttributesW, FindNextFileW, FindFirstFileW, FindClose, DeleteFileW, CompareFileTime, SearchPathW, SetCurrentDirectoryW, ExpandEnvironmentStringsW, WriteFile, MoveFileExW, GetSystemDirectoryW, GetModuleHandleA, GetProcAddress, lstrcmpiA, lstrcpyA, lstrcatW, GetTempPathW

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 4, 2024 11:21:55.835006952 CEST	53	50780	162.159.36.2	192.168.2.7
Oct 4, 2024 11:21:56.397016048 CEST	53	65120	1.1.1.1	192.168.2.7

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 4, 2024 11:21:08.973453999 CEST	1.1.1.1	192.168.2.7	0x6c6b	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	azurefd-t-fb-prod.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 4, 2024 11:21:08.973453999 CEST	1.1.1.1	192.168.2.7	0x6c6b	No error (0)	dual.s-part-0017.t-0009.fb-t-msedge.net	s-part-0017.t-0009.fb-t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 4, 2024 11:21:08.973453999 CEST	1.1.1.1	192.168.2.7	0x6c6b	No error (0)	s-part-0017.t-0009.fb-t-msedge.net		13.107.253.45	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	05:21:10
Start date:	04/10/2024
Path:	C:\Users\user\Desktop\-pdf.bat.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\-pdf.bat.exe"
Imagebase:	0x400000
File size:	915'912 bytes
MD5 hash:	C8C2FA1B682B0BCA8ED9DE83455E8977
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000000.00000002.3780975442.00000000054C5000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	21.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	19%
Total number of Nodes:	1582
Total number of Limit Nodes:	39

Executed Functions

Function 00403804 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 416
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetErrorMode.KERNELBASE(00008001), ref: 00403820
GetVersionExW.KERNEL32 ref: 00403849
GetVersionExW.KERNEL32(?), ref: 0040385C
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 00403904
#17.COMCTL32(00000008,0000000A,0000000C), ref: 0040393E
OleInitialize.OLE32(00000000), ref: 00403945
SHGetFileInfoW.SHELL32(004085D4,00000000,?,000002B4,00000000), ref: 00403964
GetCommandLineW.KERNEL32(00428D40,NSIS Error), ref: 00403979
CharNextW.USER32(00000000,"C:\Users\user\Desktop\-pdf.bat.exe",?,"C:\Users\user\Desktop\-pdf.bat.exe",00000000), ref: 004039C5
GetTempPathW.KERNEL32(00000400,C:\Users\user~1\AppData\Local\Temp\), ref: 00403AC5
GetWindowsDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,000003FB), ref: 00403AD6
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 00403AE2
GetTempPathW.KERNEL32(000003FC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,\Temp), ref: 00403AF6
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403AFE
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,Low), ref: 00403B0F
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user~1\AppData\Local\Temp\), ref: 00403B17
DeleteFileW.KERNELBASE(1033), ref: 00403B31

Part of subcall function 0040348F: GetTickCount.KERNEL32 ref: 004034A1
Part of subcall function 0040348F: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\-pdf.bat.exe,00000400), ref: 004034BD

OleUninitialize.OLE32(?), ref: 00403BBE
ExitProcess.KERNEL32 ref: 00403BD9
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\-pdf.bat.exe",00000000,?), ref: 00403BF0
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,00408624,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\-pdf.bat.exe",00000000,?), ref: 00403C03
lstrcatW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\-pdf.bat.exe",00000000,?), ref: 00403C12
lstrcmpiW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user~1\AppData\Local\Temp\,.tmp,C:\Users\user~1\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\-pdf.bat.exe",00000000,?), ref: 00403C21
SetCurrentDirectoryW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\), ref: 00403C45
DeleteFileW.KERNEL32(004209F0,004209F0,?,0042A000,?), ref: 00403C9C
CopyFileW.KERNEL32(C:\Users\user\Desktop\-pdf.bat.exe,004209F0,00000001), ref: 00403CAE
CloseHandle.KERNEL32(00000000,004209F0,004209F0,?,004209F0,00000000), ref: 00403CE7
GetCurrentProcess.KERNEL32(00000028,?), ref: 00403D1F
OpenProcessToken.ADVAPI32(00000000), ref: 00403D26
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403D3B
AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00403D5E
ExitWindowsEx.USER32(00000002,80040002), ref: 00403D83

Part of subcall function 0040670B: CharNextW.USER32(?,004039C4,"C:\Users\user\Desktop\-pdf.bat.exe",?,"C:\Users\user\Desktop\-pdf.bat.exe",00000000), ref: 00406721

Strings

TEMP, xrefs: 00403B0A
Error launching installer, xrefs: 00403B76
UXTHEME, xrefs: 004038F8, 004038FD, 00403903
TMP, xrefs: 00403B12
NSIS Error, xrefs: 0040396A
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00403810
\Temp, xrefs: 00403ADC
C:\Users\user\AppData\Local\Anvilled, xrefs: 00403B9D
C:\Users\user\Desktop\-pdf.bat.exe, xrefs: 00403CA9
.tmp, xrefs: 00403C08
SeShutdownPrivilege, xrefs: 00403D35
1033, xrefs: 00403B2C
Low, xrefs: 00403AF8
C:\Users\user\Desktop, xrefs: 00403C17, 00403C56
"C:\Users\user\Desktop\-pdf.bat.exe", xrefs: 00403980, 004039B6, 004039BE, 00403B4B, 00403B57
C:\Users\user\AppData\Local\Anvilled, xrefs: 00403AAA, 00403B92, 00403C4D, 00403C5B
~nsu, xrefs: 00403BE4
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403ABA, 00403ABF, 00403AD5, 00403AE1, 00403AF0, 00403AFD, 00403B09, 00403B11, 00403BE9, 00403BFE, 00403C0D, 00403C1C, 00403C2B, 00403C40, 00403CFE

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Filelstrcat$Process$CharCurrentDeleteDirectoryEnvironmentExitNextPathTempTokenVariableVersionWindows$AdjustCloseCommandCopyCountErrorHandleInfoInitializeLineLookupModeModuleNameOpenPrivilegePrivilegesTickUninitializeValuelstrcmpilstrlen
String ID: "C:\Users\user\Desktop\-pdf.bat.exe"$.tmp$1033$C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\AppData\Local\Anvilled$C:\Users\user\AppData\Local\Anvilled$C:\Users\user\Desktop$C:\Users\user\Desktop\-pdf.bat.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 354787867-3180056700
Opcode ID: 0ecbbf3be232c534373af848fddc9e6d681202fbfdc88adff2eb4d376a06b390
Instruction ID: ea8d09071dbbbb8128f2a3040c0526679499edfae626c6519bb85817cf976ccd
Opcode Fuzzy Hash: 0ecbbf3be232c534373af848fddc9e6d681202fbfdc88adff2eb4d376a06b390
Instruction Fuzzy Hash: 8DD116716443116AD7207F619D46B3B7AACEF4874AF41443FF982B62D2DABC8E40872D

Function 00404C33 Relevance: 54.3, APIs: 36, Instructions: 295
windowclipboardmemoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetDlgItem.USER32(?,00000403), ref: 00404C94
GetDlgItem.USER32(?,000003EE), ref: 00404CA4
GetClientRect.USER32(00000000,?), ref: 00404CE1
GetSystemMetrics.USER32(00000002), ref: 00404CE9
SendMessageW.USER32(00000000,00001061,00000000,00000002), ref: 00404D0B
SendMessageW.USER32(00000000,00001036,00004000,00004000), ref: 00404D1A
SendMessageW.USER32(00000000,00001001,00000000,?), ref: 00404D28
SendMessageW.USER32(00000000,00001026,00000000,?), ref: 00404D32

Part of subcall function 00405FBD: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,?,?,?,?,00403466), ref: 0040618F

SendMessageW.USER32(00000000,00001024,00000000,?), ref: 00404D44
ShowWindow.USER32(00000000,?,0000001B,?), ref: 00404D68
ShowWindow.USER32(00000000,00000008), ref: 00404D7A
GetDlgItem.USER32(?,000003EC), ref: 00404D9C
SendMessageW.USER32(00000000,00000401,00000000,75300000), ref: 00404DB0
SendMessageW.USER32(00000000,00000409,00000000,?), ref: 00404DCB
SendMessageW.USER32(00000000,00002001,00000000,?), ref: 00404DD5
ShowWindow.USER32(00000000), ref: 00404E4A
ShowWindow.USER32(?,00000008), ref: 00404E4F
GetDlgItem.USER32(?,000003F8), ref: 00404CB4

Part of subcall function 00405606: SendMessageW.USER32(00000028,?,00000001,0040543B), ref: 00405614

GetDlgItem.USER32(?,000003EC), ref: 00404DF5
CreateThread.KERNELBASE(00000000,00000000,Function_00005967,00000000), ref: 00404E03
CloseHandle.KERNELBASE(00000000), ref: 00404E0A
ShowWindow.USER32(00000008), ref: 00404E85
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00404EC4
CreatePopupMenu.USER32 ref: 00404ED8
AppendMenuW.USER32(?,00000000,00000001,00000000), ref: 00404EF4
GetWindowRect.USER32(?,?), ref: 00404F12
TrackPopupMenu.USER32(?,00000180,?,?,00000000,?,00000000), ref: 00404F34
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404F63
OpenClipboard.USER32(00000000), ref: 00404F73
EmptyClipboard.USER32 ref: 00404F79
GlobalAlloc.KERNEL32(00000042,00000000), ref: 00404F85
GlobalLock.KERNEL32(00000000), ref: 00404F92
SendMessageW.USER32(?,00001073,00000000,?), ref: 00404FAE
GlobalUnlock.KERNEL32(?), ref: 00404FD1
SetClipboardData.USER32(0000000D,?), ref: 00404FDC
CloseClipboard.USER32 ref: 00404FE2

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: MessageSend$Window$ItemShow$Clipboard$GlobalMenu$CloseCreatePopupRect$AllocAppendClientDataEmptyHandleLockMetricsOpenSystemThreadTrackUnlocklstrcat
String ID:
API String ID: 2901622961-0
Opcode ID: ea1a75e568242b9c33b2ed96f24b2eced80ea02c800ea097d1b7c8c4f431d408
Instruction ID: c1dd0ba4c6afa04db5033a3826b5e43042ec5fa9b8d6c5df5c2cdf9d5ac6668d
Opcode Fuzzy Hash: ea1a75e568242b9c33b2ed96f24b2eced80ea02c800ea097d1b7c8c4f431d408
Instruction Fuzzy Hash: 63A1B3B1644304ABD320AB65DD49F5B7FADFF88750F00093EF685A62E1CB789841CB69

Function 0040682E Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0040674D: lstrlenW.KERNEL32(00425A78,00000000,00425A78,00425A78,00000000,?,?,00406850,?,00000000,771B3420,00000000), ref: 004067A1
Part of subcall function 0040674D: GetFileAttributesW.KERNEL32(00425A78,00425A78), ref: 004067B2

DeleteFileW.KERNELBASE(?,?,00000000,771B3420,00000000), ref: 0040685A
lstrcatW.KERNEL32(00425278,\*.*,00425278,?,00000000,?,00000000,771B3420,00000000), ref: 004068AC
lstrcatW.KERNEL32(?,004082B0,?,00425278,?,00000000,?,00000000,771B3420,00000000), ref: 004068CD
lstrlenW.KERNEL32(?), ref: 004068D0
FindFirstFileW.KERNEL32(00425278,?), ref: 004068E7
FindNextFileW.KERNEL32(00000000,00000010,000000F2,?,?,?), ref: 00406978
FindClose.KERNEL32(00000000), ref: 0040698A

Strings

\*.*, xrefs: 004068A2

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: File$Find$lstrcatlstrlen$AttributesCloseDeleteFirstNext
String ID: \*.*
API String ID: 2636146433-1173974218
Opcode ID: 463e512100b669bbf7148d43155592073aa84a6e49227fc6e470d5d44a4eaa6f
Instruction ID: 1679f268d6f2e5967709a76d03bf4fa32a028c009496777b7310e2c01a678238
Opcode Fuzzy Hash: 463e512100b669bbf7148d43155592073aa84a6e49227fc6e470d5d44a4eaa6f
Instruction Fuzzy Hash: DD413871105711A9D320BB358D05A7B76A8DF41314F16093FF893B25D1EB3C8D6686BE

Function 004066E4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 14fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNELBASE(00000000,00427678,00000000,00406791,00425A78), ref: 004066EF
FindClose.KERNEL32(00000000), ref: 004066FB

Strings

xvB, xrefs: 004066E5

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: xvB
API String ID: 2295610775-1142169142
Opcode ID: d8979bb77e590fa5ef2a9612d96aa81559f91ada1dd450823ce235b6f1bcece9
Instruction ID: e316ebd25e92877113dce2226e0b75b13365ed97af6927094cd3affcf016b760
Opcode Fuzzy Hash: d8979bb77e590fa5ef2a9612d96aa81559f91ada1dd450823ce235b6f1bcece9
Instruction Fuzzy Hash: 17D0127150A1209BD2401778AE0C85B7A59AF153757524B36F0A6F21E0E7348C6286AC

Function 00405095 Relevance: 52.9, APIs: 35, Instructions: 374
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 004050D4
ShowWindow.USER32(?), ref: 004050FE
GetWindowLongW.USER32(?,000000F0), ref: 0040510F
ShowWindow.USER32(?,00000004), ref: 0040512B
GetDlgItem.USER32(?,00000001), ref: 00405252
GetDlgItem.USER32(?,00000002), ref: 0040525C
SetClassLongW.USER32(?,000000F2,?), ref: 00405276
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 004052C4
GetDlgItem.USER32(?,00000003), ref: 00405373
ShowWindow.USER32(00000000,?), ref: 0040539C
KiUserCallbackDispatcher.NTDLL(?,?), ref: 004053B0
KiUserCallbackDispatcher.NTDLL(?), ref: 004053C4
EnableWindow.USER32(?), ref: 004053DC
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 004053F3
EnableMenuItem.USER32(00000000), ref: 004053FA
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040540B
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 00405422
lstrlenW.KERNEL32(00421200,?,00421200,00000000), ref: 00405453

Part of subcall function 00405FBD: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,?,?,?,?,00403466), ref: 0040618F

SetWindowTextW.USER32(?,00421200), ref: 0040546B

Part of subcall function 00401399: MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
Part of subcall function 00401399: SendMessageW.USER32(?,00000402,00000000), ref: 00401409

DestroyWindow.USER32(?,00000000), ref: 004054B3
CreateDialogParamW.USER32(?,?,-00429D60), ref: 004054E7

Part of subcall function 0040561D: SetDlgItemTextW.USER32(?,?,00000000), ref: 00405637

GetDlgItem.USER32(?,000003FA), ref: 00405510
GetWindowRect.USER32(00000000), ref: 00405517
ScreenToClient.USER32(?,?), ref: 00405523
SetWindowPos.USER32(00000000,?,?,00000000,00000000,00000015), ref: 0040553C
ShowWindow.USER32(00000008,?,00000000), ref: 0040555B

Part of subcall function 004055EB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004055FD

ShowWindow.USER32(?,0000000A), ref: 004055A1

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Window$Item$MessageSendShow$CallbackDispatcherEnableLongMenuTextUser$ClassClientCreateDestroyDialogParamRectScreenSystemlstrcatlstrlen
String ID:
API String ID: 162979904-0
Opcode ID: ba739dc4ba6d18f16267d183e3e068b8daf47d42d4500b1c76a39e8f7c61ad0f
Instruction ID: dde6768bf825ec23dd98222ce6025154883a759c232661181bb8438464b7c65b
Opcode Fuzzy Hash: ba739dc4ba6d18f16267d183e3e068b8daf47d42d4500b1c76a39e8f7c61ad0f
Instruction Fuzzy Hash: F2D1DD71601A10BBDB206F21ED48E2B7BA9FF58355F80493EF545B21E1CA388852DF6D

Function 00405B41 Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 225
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 004069FB: GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,00403918,0000000C), ref: 00406A09
Part of subcall function 004069FB: GetProcAddress.KERNEL32(00000000), ref: 00406A25

lstrcatW.KERNEL32(1033,00421200,80000001,Control Panel\Desktop\ResourceLocale,00000000,00421200,00000000,00000002,00000000,771B3420,00000000,771B3170), ref: 00405BC4
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Anvilled,1033,00421200,80000001,Control Panel\Desktop\ResourceLocale,00000000,00421200,00000000,00000002,00000000), ref: 00405C48
lstrcmpiW.KERNEL32(-000000FC,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Local\Anvilled,1033,00421200,80000001,Control Panel\Desktop\ResourceLocale,00000000,00421200,00000000), ref: 00405C5D
GetFileAttributesW.KERNEL32(Call), ref: 00405C68
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Local\Anvilled), ref: 00405CB1

Part of subcall function 00406734: wsprintfW.USER32 ref: 00406741

RegisterClassW.USER32(00428CE0), ref: 00405CF6
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00405D0D
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00405D42
ShowWindow.USER32(00000005,00000000), ref: 00405D74
GetClassInfoW.USER32(00000000,RichEdit20W,00428CE0), ref: 00405D9F
GetClassInfoW.USER32(00000000,RichEdit,00428CE0), ref: 00405DAC
RegisterClassW.USER32(00428CE0), ref: 00405DB9
DialogBoxParamW.USER32(?,00000000,00405095,00000000), ref: 00405DD4

Strings

RichEd32, xrefs: 00405D88
.DEFAULT\Control Panel\International, xrefs: 00405BAF
Call, xrefs: 00405C09, 00405C12, 00405C23, 00405C77, 00405C7D
RichEdit, xrefs: 00405DA6
RichEdit20W, xrefs: 00405D99, 00405DAF
1033, xrefs: 00405B64, 00405B88, 00405BBF
RichEd20, xrefs: 00405D7A
C:\Users\user\AppData\Local\Anvilled, xrefs: 00405BD3, 00405BE5, 00405C84, 00405C8A, 00405C9A
_Nb, xrefs: 00405CD5, 00405D3C
Control Panel\Desktop\ResourceLocale, xrefs: 00405B81
.exe, xrefs: 00405C57

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: .DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Anvilled$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2507647627
Opcode ID: edc898fe0945ce5741e5c6398a2f53b5c95347c49c29c129406737a47328b788
Instruction ID: a853d14af79947da6f9b2e8ec0e988c18d5098f7c5c81f72d75faaabc62159d3
Opcode Fuzzy Hash: edc898fe0945ce5741e5c6398a2f53b5c95347c49c29c129406737a47328b788
Instruction Fuzzy Hash: B461E570201605BEE620AB65EE46F2B366CEF14758F51403FF941B61E1DF7C59018EAD

Function 0040154A Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 441
stringtimesleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

PostQuitMessage.USER32(00000000), ref: 004015F1
Sleep.KERNELBASE(00000001,?,00000000,00000000), ref: 00401628
SetForegroundWindow.USER32 ref: 00401634
ShowWindow.USER32(?,00000000,?,?,00000000,00000000), ref: 004016D3
ShowWindow.USER32(?,?,?,?,00000000,00000000), ref: 004016E8
SetFileAttributesW.KERNELBASE(00000000,?,000000F0,?,?,00000000,00000000), ref: 004016FB
GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,0000005C,00000000,000000F0,?,?,00000000,00000000), ref: 0040176A
SetCurrentDirectoryW.KERNELBASE(00000000,C:\Users\user\AppData\Local\Anvilled,00000000,000000E6,C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll), ref: 004017A3
MoveFileW.KERNEL32(00000000,00000000), ref: 004017EE
GetFullPathNameW.KERNEL32(00000000,00000400,00000000,?,00000000,000000E3,C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll,?,?,00000000,00000000), ref: 00401843
GetShortPathNameW.KERNEL32(00000000,00000000,00000400), ref: 00401890
SearchPathW.KERNEL32(00000000,00000000,00000000,00000400,00000000,?,000000FF,?,?,00000000,00000000), ref: 004018B0
lstrcatW.KERNEL32(00000000,00000000,Call,C:\Users\user\AppData\Local\Anvilled,00000000,00000000,00000031,00000000,00000000,000000EF,?,?,00000000,00000000), ref: 00401920
CompareFileTime.KERNEL32(-00000014,00000000,Call,Call,00000000,00000000,Call,C:\Users\user\AppData\Local\Anvilled,00000000,00000000,00000031,00000000,00000000,000000EF), ref: 00401948
SetFileTime.KERNELBASE(00000000,000000FF,00000000,000000FF,?,00000000,00000000,00000000,000000EA,00000000,Call,40000000,00000001,Call,00000000), ref: 00401A5A
CloseHandle.KERNELBASE(00000000), ref: 00401A61
lstrcatW.KERNEL32(Call,00000000,Call,000000E9), ref: 00401A82

Strings

C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll, xrefs: 00401789, 004017F8, 00401823, 004019B1, 004019D2
C:\Users\user~1\AppData\Local\Temp\nsk89.tmp, xrefs: 00401998, 004019BB
Call, xrefs: 004018FC, 00401906, 00401913, 00401925, 00401933, 00401968, 0040197C, 004019A2, 004019EA, 00401A7A, 00401A81, 00401A8B, 00401A96
C:\Users\user\AppData\Local\Anvilled, xrefs: 00401798, 0040190E

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: File$PathWindow$AttributesNameShowTimelstrcat$CloseCompareCurrentDirectoryForegroundFullHandleMessageMovePostQuitSearchShortSleep
String ID: C:\Users\user~1\AppData\Local\Temp\nsk89.tmp$C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll$C:\Users\user\AppData\Local\Anvilled$Call
API String ID: 3895412863-1593856006
Opcode ID: 68950bb1ebeb6225cd62330d136d113d7f3aaaaab8d8f59b6ae84e2e14c53e75
Instruction ID: a1785f87335a1d6f00f335b021900493bb5bdccd3db236d5a22e690d77315129
Opcode Fuzzy Hash: 68950bb1ebeb6225cd62330d136d113d7f3aaaaab8d8f59b6ae84e2e14c53e75
Instruction Fuzzy Hash: 89D1D871204301ABD710AF26CD85D2F76A8EF85758F110A3FF456B22E1DB7CD902966E

Function 0040348F Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 200
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 004034A1
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\-pdf.bat.exe,00000400), ref: 004034BD

Part of subcall function 00406A30: GetFileAttributesW.KERNELBASE(00000003,004034D0,C:\Users\user\Desktop\-pdf.bat.exe,80000000,00000003), ref: 00406A34
Part of subcall function 00406A30: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 00406A54

GetFileSize.KERNEL32(00000000,00000000,00438000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\-pdf.bat.exe,C:\Users\user\Desktop\-pdf.bat.exe,80000000,00000003), ref: 00403507
GlobalAlloc.KERNELBASE(00000040,?), ref: 00403655

Strings

Null, xrefs: 00403592
Error launching installer, xrefs: 004034DD
C:\Users\user\Desktop, xrefs: 004034E8, 004034ED, 004034F3
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 004036AC
soft, xrefs: 00403588
Error writing temporary file. Make sure your temp folder is valid., xrefs: 0040349C, 0040369D
Inst, xrefs: 0040357E
C:\Users\user\Desktop\-pdf.bat.exe, xrefs: 004034AC, 004034B6, 004034CA, 004034E7
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00403667

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: File$AllocAttributesCountCreateGlobalModuleNameSizeTick
String ID: C:\Users\user~1\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\-pdf.bat.exe$Error launching installer$Error writing temporary file. Make sure your temp folder is valid.$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft
API String ID: 2803837635-3011249260
Opcode ID: 599ca7be9194ffd7aba6a4343ff8315617eef4df89bd3b83fc00f7988b37868b
Instruction ID: 3b142060e7b9412fd979dc1fb42ba0df29582307c8f1f7093b8b137cbf00f437
Opcode Fuzzy Hash: 599ca7be9194ffd7aba6a4343ff8315617eef4df89bd3b83fc00f7988b37868b
Instruction Fuzzy Hash: 2D61F571640300ABD730AF24DD86B5A7BA8EB84715F100A3FF541B72E1CB3D9A458B5E

Function 00405E3D Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 76
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(00424230,C:\Users\user\Desktop,00000000,00000000), ref: 00405E6F
lstrlenW.KERNEL32(?,00424230,C:\Users\user\Desktop,00000000,00000000), ref: 00405E81
lstrcatW.KERNEL32(00424230,?,?,00424230,C:\Users\user\Desktop,00000000,00000000), ref: 00405E9C
SetWindowTextW.USER32(00424230,00424230), ref: 00405EB4
SendMessageW.USER32(?), ref: 00405EDB
SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405EF6
SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405F03

Part of subcall function 00405FBD: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,?,?,?,?,00403466), ref: 0040618F

Strings

0BB, xrefs: 00405EA3
C:\Users\user\Desktop, xrefs: 00405E57
0BB, xrefs: 00405EF9
0BB, xrefs: 00405E5A
0BB, xrefs: 00405E96

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: MessageSend$lstrcatlstrlen$TextWindow
String ID: 0BB$0BB$0BB$0BB$C:\Users\user\Desktop
API String ID: 1759915248-643024207
Opcode ID: 2475f87d803c5ef63a02e9ec05c0eb26efa1af4e36a7e4118f10b924440d8630
Instruction ID: 0ce1c44fb447bcfc908b7bbe79f9094619b51c0f52104d818297a9f3ba0da135
Opcode Fuzzy Hash: 2475f87d803c5ef63a02e9ec05c0eb26efa1af4e36a7e4118f10b924440d8630
Instruction Fuzzy Hash: FA21F532A056546BD310AF55DD40A5BFB9CEF94350F44043EF988A3291C7BC5D004AAE

Function 00405FBD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 216
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004060E4

Part of subcall function 00406C2F: lstrcpynW.KERNEL32(?,?,00000400,00403979,00428D40,NSIS Error), ref: 00406C3C

Part of subcall function 00405FBD: SHGetPathFromIDListW.SHELL32(00000000,Call), ref: 00406156
Part of subcall function 00405FBD: CoTaskMemFree.OLE32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00403466,00000000), ref: 00406162

GetWindowsDirectoryW.KERNEL32(Call,00000400,00424230,?,?,?,?,C:\Users\user\Desktop,00000000,00000000), ref: 004060FA
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,?,?,?,?,00403466), ref: 0040618F
lstrlenW.KERNEL32(Call,00424230,?,?,?,?,C:\Users\user\Desktop,00000000,00000000), ref: 004061DF

Strings

Call, xrefs: 00405FDF, 004060AA, 004060CE, 004060E3, 004060F9, 00406122, 00406154, 0040618E, 004061A7, 004061BA, 004061C8, 004061D8, 004061DE, 00406205, 00406221
Software\Microsoft\Windows\CurrentVersion, xrefs: 004060AF
\Microsoft\Internet Explorer\Quick Launch, xrefs: 00406189
0BB, xrefs: 00406104, 00406125, 0040613F

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Directory$FreeFromListPathSystemTaskWindowslstrcatlstrcpynlstrlen
String ID: 0BB$Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 698176107-1118408401
Opcode ID: c4305dca4c3c9a80663fe91b25f080845fb2b885571739180ef8a7dc8815ff10
Instruction ID: 652daa6bf86f9d3fc302909022c953cc0e89febb2bd57c9f500c2de9f400e0ee
Opcode Fuzzy Hash: c4305dca4c3c9a80663fe91b25f080845fb2b885571739180ef8a7dc8815ff10
Instruction Fuzzy Hash: 586105312042159BD710AF299C80A3B76A4AF99310F12443FF986FB2D1D63CC9268B6D

Function 0040291D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ReadFile.KERNELBASE(00000000,?,?,?), ref: 00402994
MultiByteToWideChar.KERNEL32(?,00000008,?,?,?,00000001), ref: 004029D4
SetFilePointer.KERNELBASE(?,?,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A07
MultiByteToWideChar.KERNEL32(?,00000008,?,?,00000001,00000001,?,00000001,?,00000008,?,?,?,00000001), ref: 00402A1F
SetFilePointer.KERNEL32(?,?,?,00000001,00000000,?,00000002), ref: 00402ADC

Strings

9, xrefs: 00402975

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: File$ByteCharMultiPointerWide$Read
String ID: 9
API String ID: 1439708474-2366072709
Opcode ID: cbce69830b2ac27408b95c64c0cddadcdc42c8f250a6c4142035317a81010454
Instruction ID: eba2a45eeb10f73dc6eed4f84907f68d60de0f16478c8bc33572b7d083648977
Opcode Fuzzy Hash: cbce69830b2ac27408b95c64c0cddadcdc42c8f250a6c4142035317a81010454
Instruction Fuzzy Hash: 6A5149B1618301AFD724DF15CA44A2BB7E8BFD5304F00483FF981A62D0DBB9D9458B2A

Function 004062B3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004062CA
wsprintfW.USER32 ref: 00406306
LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040631A

Strings

\, xrefs: 004062DB
UXTHEME, xrefs: 004062C2
%s%S.dll, xrefs: 00406300

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: 714dfd95af2ce998ffd3f91a4f209d2bb5680a21a200567e99444b52dbb044f1
Instruction ID: 3c81b89deb225ca8298b9d33e2fe5aa7d3ba7ba3c7b224130f881f219ff7cca8
Opcode Fuzzy Hash: 714dfd95af2ce998ffd3f91a4f209d2bb5680a21a200567e99444b52dbb044f1
Instruction Fuzzy Hash: 35F0967150151457D710B764DE0DB9737A8AF00304F5044BEA546F21C0EBBCDA54C79C

Function 00406B6B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTickCount.KERNEL32 ref: 00406B87
GetTempFileNameW.KERNELBASE(?,0073006E,00000000,?,?,?,00000000,00403DD7,1033,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403ACC), ref: 00406BA2

Strings

n, xrefs: 00406B79
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406B74
a, xrefs: 00406B80
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406B70

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: C:\Users\user~1\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.$a$n
API String ID: 1716503409-3496289110
Opcode ID: 7d0d4397dd5f524cd1bb2981e1ab45d43d420a4297ed1305e9605d287a9de6af
Instruction ID: 03f97ff025160759833fd1c5b54d4c15cc798ac05920b73cd7f9cb615ebaa677
Opcode Fuzzy Hash: 7d0d4397dd5f524cd1bb2981e1ab45d43d420a4297ed1305e9605d287a9de6af
Instruction Fuzzy Hash: 63F0BEB2200218BBEB148F44DC09BDE777EEF90710F10807BE941AB180E6F06A5483A4

Function 0040225D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNELBASE(00000000,00000001,000000F0), ref: 0040228C

Part of subcall function 00405E3D: lstrlenW.KERNEL32(00424230,C:\Users\user\Desktop,00000000,00000000), ref: 00405E6F
Part of subcall function 00405E3D: lstrlenW.KERNEL32(?,00424230,C:\Users\user\Desktop,00000000,00000000), ref: 00405E81
Part of subcall function 00405E3D: lstrcatW.KERNEL32(00424230,?,?,00424230,C:\Users\user\Desktop,00000000,00000000), ref: 00405E9C
Part of subcall function 00405E3D: SetWindowTextW.USER32(00424230,00424230), ref: 00405EB4
Part of subcall function 00405E3D: SendMessageW.USER32(?), ref: 00405EDB
Part of subcall function 00405E3D: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405EF6
Part of subcall function 00405E3D: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405F03

LoadLibraryExW.KERNEL32(00000000,?,00000008,00000001,000000F0), ref: 004022A0
FreeLibrary.KERNEL32(00000000,00000000,000000F7,?,?,00000008,00000001,000000F0), ref: 0040232A

Strings

C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll, xrefs: 004022CC, 00402335, 0040233E

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: MessageSend$Librarylstrlen$FreeHandleLoadModuleTextWindowlstrcat
String ID: C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll
API String ID: 334405425-3506212881
Opcode ID: 47bf99d45f064d7ea273baa28ef99b1fd27508b9c52d70213c0230c50d8e9019
Instruction ID: 5ab2f9945def4c914915ed97a450473ade9320cc6c17bc2c10081fcd0c3c0cb4
Opcode Fuzzy Hash: 47bf99d45f064d7ea273baa28ef99b1fd27508b9c52d70213c0230c50d8e9019
Instruction Fuzzy Hash: F121FB32644301A7C7119F61CE49A3F7694AF94751F60053FF951712D0DBBC98129A9F

Function 00402656 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
registrystringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlenW.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsk89.tmp,00000023,?,00000011,00000002), ref: 004026C3
RegSetValueExW.KERNELBASE(?,?,?,?,C:\Users\user~1\AppData\Local\Temp\nsk89.tmp,?,?,00000011,00000002), ref: 00402710
RegCloseKey.ADVAPI32(?,?,?,C:\Users\user~1\AppData\Local\Temp\nsk89.tmp,?,?,00000011,00000002), ref: 0040271D

Strings

C:\Users\user~1\AppData\Local\Temp\nsk89.tmp, xrefs: 004026B2, 004026C2, 004026E0, 004026F3, 00402705

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: CloseValuelstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\nsk89.tmp
API String ID: 2655323295-46121652
Opcode ID: ade492d5df03a8d2c7ae578a81cf4fc1b43c494d79c722f1f7b613b4c58fbaf7
Instruction ID: af464e8318e7c5fbf483fadd1347ea1ff69f410dc300b2d4ce688db9f9141b9d
Opcode Fuzzy Hash: ade492d5df03a8d2c7ae578a81cf4fc1b43c494d79c722f1f7b613b4c58fbaf7
Instruction Fuzzy Hash: 0821F232604300ABD7119FA5CD45B2FBBE8EB98764F11483EF581F31C0C7B99905879A

Function 004069FB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(UXTHEME,Error writing temporary file. Make sure your temp folder is valid.,UXTHEME,00403918,0000000C), ref: 00406A09
GetProcAddress.KERNEL32(00000000), ref: 00406A25

Part of subcall function 004062B3: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004062CA
Part of subcall function 004062B3: wsprintfW.USER32 ref: 00406306
Part of subcall function 004062B3: LoadLibraryExW.KERNEL32(?,00000000,00000008), ref: 0040631A

Strings

UXTHEME, xrefs: 004069FB, 00406A08, 00406A13
Error writing temporary file. Make sure your temp folder is valid., xrefs: 004069FC

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID: Error writing temporary file. Make sure your temp folder is valid.$UXTHEME
API String ID: 2547128583-890815371
Opcode ID: 5444f8ec23be2c6a9b0b43c4d015ad41947603a44c70bf61a8aaf5f9aaa848d0
Instruction ID: fde045b120d4e9fbedc4602cc912674c940b6414d211d64326a364595d17484f
Opcode Fuzzy Hash: 5444f8ec23be2c6a9b0b43c4d015ad41947603a44c70bf61a8aaf5f9aaa848d0
Instruction Fuzzy Hash: 18D0C2322012159BC7007F22AE0888B771DEF96350705843AF541B2230D738C82289BD

Function 00405F41 Relevance: 6.0, APIs: 4, Instructions: 37COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(00000000,?), ref: 00405F82
GetLastError.KERNEL32 ref: 00405F8C
SetFileSecurityW.ADVAPI32(00000000,80000007,00000001), ref: 00405FA5
GetLastError.KERNEL32 ref: 00405FB3

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID:
API String ID: 3449924974-0
Opcode ID: 26aef2f2a74a45cd408aa394e611098260eee0f39c193ac8fe47435c93f2fc62
Instruction ID: 042ea5188ab4a242f45dae448e3eca013d4ac0ceece2a382c006faaf9ef1663f
Opcode Fuzzy Hash: 26aef2f2a74a45cd408aa394e611098260eee0f39c193ac8fe47435c93f2fc62
Instruction Fuzzy Hash: F1012C74D0060ADFEB008FA0DA04BAEBBB4FF04355F10443AE545F2290D77886488F99

Function 004032C7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,C:\Users\user\Desktop,?,00000000,004036F8,000000FF,00000000,00000000,?,?), ref: 004032EA

Strings

C:\Users\user\Desktop, xrefs: 004032CE

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: FilePointer
String ID: C:\Users\user\Desktop
API String ID: 973152223-3976562730
Opcode ID: e848af23392ef9212b537c313fa36c8933c56bd9746aa11a2b1857199a9f20aa
Instruction ID: 03ccdd90c03623ddb9a7e60c54f99ad42dbd580121bb72f8b918a97a4a7c42e8
Opcode Fuzzy Hash: e848af23392ef9212b537c313fa36c8933c56bd9746aa11a2b1857199a9f20aa
Instruction Fuzzy Hash: A631BF71600205AFDF109F5ADE80E9E3EACAB44755B00413EFE05F62A1DB38DE20DB69

Function 00405F21 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 12COMMON

Download Yara Rule

APIs

CreateDirectoryW.KERNELBASE(?,00000000,C:\Users\user~1\AppData\Local\Temp\,00403DCC,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403ACC), ref: 00405F29
GetLastError.KERNEL32 ref: 00405F33

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 00405F21

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 1375471231-2382934351
Opcode ID: ffc7d6197e1beb19ef1624df4ffa93a3437123ffd0222c56b7c883f1d5fa86bc
Instruction ID: 7225596eb2c355decc995a26192eac208658e83bd5f5fd8e1e75763a45e760bc
Opcode Fuzzy Hash: ffc7d6197e1beb19ef1624df4ffa93a3437123ffd0222c56b7c883f1d5fa86bc
Instruction Fuzzy Hash: E1C08C327005319BC3701B75BE0CA87BE98EF107A1303423AF988E2220DA308C00CBE8

Function 00406FBD Relevance: 5.2, APIs: 4, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57e40a78f00abd15777e94ecd5bdab5ad8d33f2a4d0ed0717479564f524859e3
Instruction ID: a17ac8480bdadea9300d7b84b1a57ef3aebf7c5664a30c8e763fb849d5045f8c
Opcode Fuzzy Hash: 57e40a78f00abd15777e94ecd5bdab5ad8d33f2a4d0ed0717479564f524859e3
Instruction Fuzzy Hash: D4913571A0C3908FD364CF29C480B6ABBE1AFC9344F10892EE59AD7390D774A905CB57

Function 7044167A Relevance: 4.6, APIs: 3, Instructions: 123COMMON

Download Yara Rule

APIs

Part of subcall function 70442351: GlobalFree.KERNEL32(?), ref: 70442A44
Part of subcall function 70442351: GlobalFree.KERNEL32(?), ref: 70442A4A
Part of subcall function 70442351: GlobalFree.KERNEL32(?), ref: 70442A50

GlobalFree.KERNEL32(00000000), ref: 70441738
FreeLibrary.KERNEL32(?), ref: 704417C3
GlobalFree.KERNEL32(00000000), ref: 704417E9

Part of subcall function 70441FCB: GlobalAlloc.KERNEL32(00000040,?), ref: 70441FFA

Part of subcall function 704417F7: GlobalAlloc.KERNEL32(00000040,00000000,?,?,00000000,?,?,70441708,00000000), ref: 7044189A

Part of subcall function 70441F1E: wsprintfW.USER32 ref: 70441F51

Memory Dump Source

Source File: 00000000.00000002.3782009729.0000000070441000.00000020.00000001.01000000.00000005.sdmp, Offset: 70440000, based on PE: true

Associated: 00000000.00000002.3781994438.0000000070440000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782022710.0000000070444000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782035449.0000000070446000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70440000_-pdf.jbxd

Similarity

API ID: Global$Free$Alloc$Librarywsprintf
String ID:
API String ID: 3962662361-0
Opcode ID: e078864a9b98d6421ab4706601495b551b98313bb6e05d55760e1fa220053f7f
Instruction ID: c2c1e54ce530f1b9c5b7f592afd94dd64df7f950e73418a7a821418d04fd4f07
Opcode Fuzzy Hash: e078864a9b98d6421ab4706601495b551b98313bb6e05d55760e1fa220053f7f
Instruction Fuzzy Hash: 7C41BF36400249AFFB209F24D985B9E37FDBB41319F30601DF94A9A3A6DB7CA944C651

Function 00403148 Relevance: 4.6, APIs: 3, Instructions: 102COMMON

Download Yara Rule

APIs

GetTickCount.KERNEL32 ref: 0040315B

Part of subcall function 00403131: SetFilePointer.KERNELBASE(00000000,00000000,00000000,004036CC,?), ref: 0040313F

SetFilePointer.KERNELBASE(00000000,00000000,?,004032F7,00000004,C:\Users\user\Desktop,?,00000000,004036F8,000000FF,00000000,00000000,?,?), ref: 0040318E
SetFilePointer.KERNELBASE(0000506C,00000000,00000000,004149F0,-0032D18C,?,004032F7,00000004,C:\Users\user\Desktop,?,00000000,004036F8,000000FF,00000000,00000000,?), ref: 004032AD

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: FilePointer$CountTick
String ID:
API String ID: 1092082344-0
Opcode ID: 5996c985795e8b5707d76d0be3e92778556d34cb048b6a269bacef030baef48e
Instruction ID: d2eefc4df71019c2b16fa905559572dc2303f56b63bf2239b88d083b882742d4
Opcode Fuzzy Hash: 5996c985795e8b5707d76d0be3e92778556d34cb048b6a269bacef030baef48e
Instruction Fuzzy Hash: F8315CF1912211DBC710AF29EE849667F68EB84326711433FE901B72E0CB399944DB9D

Function 004027B0 Relevance: 4.6, APIs: 3, Instructions: 53registryCOMMON

Download Yara Rule

APIs

RegEnumKeyW.ADVAPI32(00000000,00000000,?,000003FF), ref: 004027E8
RegEnumValueW.ADVAPI32(00000000,00000000,?,?), ref: 004027FC
RegCloseKey.ADVAPI32(00000000,?,?), ref: 00402818

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Enum$CloseValue
String ID:
API String ID: 397863658-0
Opcode ID: fe6b0462bbb9c812055640b7e05a812a5f0f6476a15b8fe0613a818189b17234
Instruction ID: b0fab6ada048a007bc7a9e7ea159b859fb2c46f1cf0919f9de2b856f0b768ccb
Opcode Fuzzy Hash: fe6b0462bbb9c812055640b7e05a812a5f0f6476a15b8fe0613a818189b17234
Instruction Fuzzy Hash: 3501B531658341ABD3189F61ED88D3BB79CFF85315F11093EF542A21C0D7B86904866A

Function 00401399 Relevance: 3.0, APIs: 2, Instructions: 49windowCOMMON

Download Yara Rule

APIs

MulDiv.KERNEL32(?,00007530,00000000), ref: 004013F9
SendMessageW.USER32(?,00000402,00000000), ref: 00401409

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 21baafe9a7a0f76613877036fe6656a1d903344fa510fbd339b417530e455d25
Instruction ID: 290020a6ffb3b0b642d393fb7515e003cd99aebe452f8161eadcedbee24de40e
Opcode Fuzzy Hash: 21baafe9a7a0f76613877036fe6656a1d903344fa510fbd339b417530e455d25
Instruction Fuzzy Hash: 65014732B102309BD7296F28EC08B2A3698A790711F55053EF901F72F1D6B8CC06839C

Function 004025FF Relevance: 3.0, APIs: 2, Instructions: 40registryCOMMON

Download Yara Rule

APIs

RegDeleteValueW.ADVAPI32(00000000,00000000,00000033), ref: 0040261E
RegCloseKey.ADVAPI32(00000000), ref: 00402627

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: CloseDeleteValue
String ID:
API String ID: 2831762973-0
Opcode ID: 58e93c502c6760cf7afac41f66f3caaeb4af238a1542128eb1103078922c963e
Instruction ID: 362cb4f6b20b44c4732fe0c2e8830287d718b01241407342bacb51c37ffe1250
Opcode Fuzzy Hash: 58e93c502c6760cf7afac41f66f3caaeb4af238a1542128eb1103078922c963e
Instruction Fuzzy Hash: D6F02433645600A7E210ABA49D4AA7E765DAB903A2F11053FF642B61C4CEBE8C46866D

Function 00402048 Relevance: 3.0, APIs: 2, Instructions: 24COMMON

Download Yara Rule

APIs

ShowWindow.USER32(00000000,00000000), ref: 00402061
EnableWindow.USER32(00000000,00000000), ref: 0040206C

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Window$EnableShow
String ID:
API String ID: 1136574915-0
Opcode ID: 891da5ed0a96c49853c0618874e93badcd3494bf22b074912de49e1286eaee8a
Instruction ID: d3ea980f862b26b5144c0637eecc05b71e9f62faeec01463a38ba2c80611de59
Opcode Fuzzy Hash: 891da5ed0a96c49853c0618874e93badcd3494bf22b074912de49e1286eaee8a
Instruction Fuzzy Hash: 5EE026726083009FE314AF20E94E96AB768EB40326F20443FF940B40C1CBBE2C4186BE

Function 00406A30 Relevance: 3.0, APIs: 2, Instructions: 14fileCOMMON

Download Yara Rule

APIs

GetFileAttributesW.KERNELBASE(00000003,004034D0,C:\Users\user\Desktop\-pdf.bat.exe,80000000,00000003), ref: 00406A34
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 00406A54

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: 2636aa4b6e8d56909014eda2f457a88b1db290e94deca41eabb4e2e5bf5542ae
Instruction ID: 6944e5d097c49adef6872dbe64bc52011f165bd8882031d975811287a59293c5
Opcode Fuzzy Hash: 2636aa4b6e8d56909014eda2f457a88b1db290e94deca41eabb4e2e5bf5542ae
Instruction Fuzzy Hash: C1D09E71118201AEDF054F20DE4AF1FBA65EF84711F114A2CF2A5940F0DA718825AB15

Function 00402AF5 Relevance: 1.5, APIs: 1, Instructions: 26COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,?,00000000,?,?), ref: 00402B11

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: c9684272530c97a3937d2c2dd0a9e88e4371c21dc146d787c3a44186b09c15e4
Instruction ID: bb3698166f2f7887da60b512e7e280e5d3ba2552d442c0d01900f7df534159fe
Opcode Fuzzy Hash: c9684272530c97a3937d2c2dd0a9e88e4371c21dc146d787c3a44186b09c15e4
Instruction Fuzzy Hash: CBE0DF722452007FD600AB11ED8AC3FB31CEB8031EF04483FF504A40C1C67E280186AA

Function 00406A5D Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

ReadFile.KERNELBASE(?,00000000,00000000,?,00000000,004149F0,-0032D18C,?,00000000,0040312E,?,?,00403292,004149F0,-0032D18C), ref: 00406A74

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
Instruction ID: 385196eb23d11a36dc6e38e8ab68dc4ec2e70565b983062d54c52da8055020ce
Opcode Fuzzy Hash: f8dde0e6d0967dcd1486054d06716264d6198d5106f5dd6c4da627d3f0af441a
Instruction Fuzzy Hash: B0E0BF7220011ABB8F205B8ADD04D9FBFADEE966A07114026B905A6150D670EA11DAE4

Function 00406B20 Relevance: 1.5, APIs: 1, Instructions: 24fileCOMMON

Download Yara Rule

APIs

WriteFile.KERNELBASE(?,00000000,00000000,?,00000000,0041BE0C,-0032D18C,?,00000000,0040322C,004189F0,0041BE0C,004149F0,-0032D18C,?,004032F7), ref: 00406B37

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 918db18773234dd27a4ccea7b05120dde1c36639e2429e3c910a208a0e7f3d6c
Instruction ID: 1f3280817f598c96c51f842603ae3c0d9e7838c34cd32eb3dba11bf4455027e8
Opcode Fuzzy Hash: 918db18773234dd27a4ccea7b05120dde1c36639e2429e3c910a208a0e7f3d6c
Instruction Fuzzy Hash: 57E0B6B2200129BB8F209B8ADD08D9FFFBDEE957A07124036F905E6150D674EA11D6E4

Function 004063BA Relevance: 1.5, APIs: 1, Instructions: 24registryCOMMON

Download Yara Rule

APIs

RegCreateKeyExW.KERNELBASE(00000000,?,00000000,00000000,00000000,?,00000000,?,00000000,?,?), ref: 004063E3

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: a0b6da99e5e71265e8373ba8059e24fe5c697144cc542e2b776cf21a3b2d53e8
Instruction ID: 20d2b18cbbbfb2fbef22a2957ce1d045c06c2643f5e2d934d02d27322de197f6
Opcode Fuzzy Hash: a0b6da99e5e71265e8373ba8059e24fe5c697144cc542e2b776cf21a3b2d53e8
Instruction Fuzzy Hash: 75E0B6B2010209BEEF095F90ED0AEBB361DEB08310F01852EBE06E4091E6B5ED30A675

Function 70441A4A Relevance: 1.5, APIs: 1, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(7044501C,00000004,00000040,70445034), ref: 70441A68

Memory Dump Source

Source File: 00000000.00000002.3782009729.0000000070441000.00000020.00000001.01000000.00000005.sdmp, Offset: 70440000, based on PE: true

Associated: 00000000.00000002.3781994438.0000000070440000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782022710.0000000070444000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782035449.0000000070446000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70440000_-pdf.jbxd

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 5f75e884adaa71efc1ee6efff84fe33ebaad4fd484bddbe86f671108732a0b8c
Instruction ID: b0709e779aabe9f9989565cbb47278eaef448524f05f8b9c8b6ec4018c7ab0e7
Opcode Fuzzy Hash: 5f75e884adaa71efc1ee6efff84fe33ebaad4fd484bddbe86f671108732a0b8c
Instruction Fuzzy Hash: 53F0C07E919340DADB18DF1AAC447097AE0B71A345B20453EFE49DA362C77145009B9A

Function 004063ED Relevance: 1.5, APIs: 1, Instructions: 19registryCOMMON

Download Yara Rule

APIs

RegOpenKeyExW.KERNELBASE(00000000,?,00000000,00424230,00000000,00000800,00424230,?,00406ABA,00000800,?,?,?,Call,00000000,00000000), ref: 00406411

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Open
String ID:
API String ID: 71445658-0
Opcode ID: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
Instruction ID: c4076ac10ec322d1f621b48464b0146dd55e4c4a2c3eba9e58b2c244d89ab2f2
Opcode Fuzzy Hash: 5d90062fdd1cff32f27602045ec2692a1b627fa5483aed50fd6290a01ccc32d2
Instruction Fuzzy Hash: 3CD0123200020DBBDF116E909D05FAB372DEB04350F01482AFE06A4091D775D530AB19

Function 0040561D Relevance: 1.5, APIs: 1, Instructions: 10COMMON

Download Yara Rule

APIs

Part of subcall function 00405FBD: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,?,?,?,?,00403466), ref: 0040618F

SetDlgItemTextW.USER32(?,?,00000000), ref: 00405637

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: ItemTextlstrcat
String ID:
API String ID: 3433768297-0
Opcode ID: 0a47412119046910f8567a3edcb2020fc28baccfd11460674a2097b00f1d61e3
Instruction ID: 789d532d0cfa21274277a88f6342db929b0c0901db561bf65b50e3de0f7c97c4
Opcode Fuzzy Hash: 0a47412119046910f8567a3edcb2020fc28baccfd11460674a2097b00f1d61e3
Instruction Fuzzy Hash: 37C04C7514C641BFE642A755CC42F1FB799EF94315F00C92EB59CE51D1CA3984309A26

Function 004055EB Relevance: 1.5, APIs: 1, Instructions: 9windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004055FD

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 0b54b37c65a6f2e9775963e423fcf6596bf7a1857849fbbceef3d2bf8cc140d1
Instruction ID: acaaf28e16a1f9bce30303e423b06679eb72cb68f5cd5c36ac2be97ede75637d
Opcode Fuzzy Hash: 0b54b37c65a6f2e9775963e423fcf6596bf7a1857849fbbceef3d2bf8cc140d1
Instruction Fuzzy Hash: C6C04C717446006AEA209B619D05F077764AB50701F508C397244E51E0CA75E411DA1C

Function 00405606 Relevance: 1.5, APIs: 1, Instructions: 6windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000028,?,00000001,0040543B), ref: 00405614

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: a3bd4e69c3a0b4c191a261ee86b7d51c4704c391ae90971fff71fbbf7edd3ec2
Instruction ID: 7fc37ce8999bee95357acd9183195076b7b6587e69e68807996e1ccba99c995d
Opcode Fuzzy Hash: a3bd4e69c3a0b4c191a261ee86b7d51c4704c391ae90971fff71fbbf7edd3ec2
Instruction Fuzzy Hash: 8EB092352D1600AADA215B00DE09F4ABB62ABA4741F008838B240640F0CAB200A5DB08

Function 00403131 Relevance: 1.5, APIs: 1, Instructions: 6COMMON

Download Yara Rule

APIs

SetFilePointer.KERNELBASE(00000000,00000000,00000000,004036CC,?), ref: 0040313F

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
Instruction ID: 249934cc5d2069a5a678a88893d20fb7c04287045258dfdbdab4020963f10c22
Opcode Fuzzy Hash: eeb6e3b4f510f7bce7f4acd2004317b94e1f980229c798523801c224a6f07df3
Instruction Fuzzy Hash: 94B09231140200AADA214F009E0AF057B21AB90700F108434B290680F086711060EA0D

Function 70442D14 Relevance: 1.4, APIs: 1, Instructions: 143memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNELBASE(?), ref: 70442DD3

Memory Dump Source

Source File: 00000000.00000002.3782009729.0000000070441000.00000020.00000001.01000000.00000005.sdmp, Offset: 70440000, based on PE: true

Associated: 00000000.00000002.3781994438.0000000070440000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782022710.0000000070444000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782035449.0000000070446000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70440000_-pdf.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: c6270ab5d7e90594305aaf0d3f1c385471c45875b42a7bb79e165b0111f0d96c
Instruction ID: 3b05535ceda300b1834938e3d92da33a03dbba7b9f7daea297ebfee5043a5dce
Opcode Fuzzy Hash: c6270ab5d7e90594305aaf0d3f1c385471c45875b42a7bb79e165b0111f0d96c
Instruction Fuzzy Hash: 81417D7A900204DFEB109FA5EE86B4D77B5EB45358F70643EF9058B371DA3CA981CA81

Non-executed Functions

Function 00404521 Relevance: 60.1, APIs: 33, Strings: 1, Instructions: 576windowmemoryCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003F9), ref: 00404539
GetDlgItem.USER32(?,00000408), ref: 00404545
GlobalAlloc.KERNEL32(00000040,?), ref: 0040458D
LoadImageW.USER32(0000006E,00000000,00000000,00000000,00000000), ref: 004045A6
SetWindowLongW.USER32(00000000,000000FC,Function_000059D3), ref: 004045BD
ImageList_Create.COMCTL32(00000010,00000010,00000021,00000006,00000000), ref: 004045D3
ImageList_AddMasked.COMCTL32(00000000,00000000,00FF00FF), ref: 004045E5
SendMessageW.USER32(00000000,00001109,00000002), ref: 004045F8
SendMessageW.USER32(00000000,0000111C,00000000,00000000), ref: 00404604
SendMessageW.USER32(00000000,0000111B,00000010,00000000), ref: 00404616
DeleteObject.GDI32(00000000), ref: 00404619
SendMessageW.USER32(?,00000143,00000000,00000000), ref: 00404647
SendMessageW.USER32(?,00000151,00000000,00000000), ref: 00404651
SendMessageW.USER32(?,00001132,00000000,?), ref: 004046FC
SendMessageW.USER32(?,0000110A,00000003,00000000), ref: 00404726
SendMessageW.USER32(?,00001132,00000000,?), ref: 0040473C
GetWindowLongW.USER32(?,000000F0), ref: 0040476B
SetWindowLongW.USER32(?,000000F0,00000000), ref: 00404778
ShowWindow.USER32(?,00000005), ref: 0040478C
SendMessageW.USER32(?,00000419,00000000,?), ref: 004048C9
SendMessageW.USER32(?,00000147,00000000,00000000), ref: 00404944
SendMessageW.USER32(?,00000150,00000000,00000000), ref: 00404963
SendMessageW.USER32(?,00000420,00000000,00000020), ref: 0040498F
SendMessageW.USER32(?,00000200,00000000,00000000), ref: 004049C4
ImageList_Destroy.COMCTL32(?), ref: 004049EB
GlobalFree.KERNEL32(?), ref: 004049FB

Strings

M, xrefs: 004046E3

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: MessageSend$ImageWindow$List_Long$GlobalItem$AllocCreateDeleteDestroyFreeLoadMaskedObjectShow
String ID: M
API String ID: 1688767230-3664761504
Opcode ID: bee424e7aad126ffc3dd94acac0c55c887baa37b8f9f8150c8b02386ace4a1e4
Instruction ID: f817e89bcf48760cfb5f4289bf731060a572f333ebe8f74edde3a20025983385
Opcode Fuzzy Hash: bee424e7aad126ffc3dd94acac0c55c887baa37b8f9f8150c8b02386ace4a1e4
Instruction Fuzzy Hash: 7A12C0B16043009FD720DF25DD45A2BB6E9EBC8314F104A3EFA95E72E1DB789C418B59

Function 00404188 Relevance: 30.0, APIs: 11, Strings: 6, Instructions: 281COMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,000003FB), ref: 004041D9
SetWindowTextW.USER32(00000000,?), ref: 00404203

Part of subcall function 00406B4F: GetDlgItemTextW.USER32(?,?,00000400,0040504F), ref: 00406B62

Part of subcall function 00406E52: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403DB4,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403ACC), ref: 00406EC7
Part of subcall function 00406E52: CharNextW.USER32(?,?,?,00000000), ref: 00406ED6
Part of subcall function 00406E52: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403DB4,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403ACC), ref: 00406EDB
Part of subcall function 00406E52: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403DB4,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403ACC), ref: 00406EF3

Strings

Call, xrefs: 00404308, 00404317
A, xrefs: 004042C6
:B, xrefs: 00404360
C:\Users\user\AppData\Local\Anvilled, xrefs: 004042F4
:B, xrefs: 004043D3
:B, xrefs: 004043CB

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Char$Next$ItemText$PrevWindow
String ID: :B$ :B$ :B$A$C:\Users\user\AppData\Local\Anvilled$Call
API String ID: 4089110348-3279199050
Opcode ID: 64a89f78390c37e28e39dbc90de8c98faa8b9fb800003988ad5373c0b078ce64
Instruction ID: a7973db417e6baa05db810715503a342ede3a04454d7dbc9c1eaaa2829578ea4
Opcode Fuzzy Hash: 64a89f78390c37e28e39dbc90de8c98faa8b9fb800003988ad5373c0b078ce64
Instruction Fuzzy Hash: 8C91B2B1604311ABD710AF65DD81B5B76A8EF84704F41083EFB85B62D1DA7CD9018BAE

Function 70442351 Relevance: 18.7, APIs: 12, Instructions: 705stringlibrarymemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 704412F8: GlobalAlloc.KERNEL32(00000040,?,704411C4,-000000A0), ref: 70441302

GlobalAlloc.KERNEL32(00000040,00001CA4), ref: 7044294E
lstrcpyW.KERNEL32(00000008,?), ref: 704429A4
lstrcpyW.KERNEL32(00000808,?), ref: 704429AF
GlobalFree.KERNEL32(00000000), ref: 704429C0
GlobalFree.KERNEL32(?), ref: 70442A44
GlobalFree.KERNEL32(?), ref: 70442A4A
GlobalFree.KERNEL32(?), ref: 70442A50
GetModuleHandleW.KERNEL32(00000008), ref: 70442B1A
LoadLibraryW.KERNEL32(00000008), ref: 70442B2B
GetProcAddress.KERNEL32(?,?), ref: 70442B82
lstrlenW.KERNEL32(00000808), ref: 70442B9D

Memory Dump Source

Source File: 00000000.00000002.3782009729.0000000070441000.00000020.00000001.01000000.00000005.sdmp, Offset: 70440000, based on PE: true

Associated: 00000000.00000002.3781994438.0000000070440000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782022710.0000000070444000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782035449.0000000070446000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70440000_-pdf.jbxd

Similarity

API ID: Global$Free$Alloclstrcpy$AddressHandleLibraryLoadModuleProclstrlen
String ID:
API String ID: 1042148487-0
Opcode ID: f2d4e1c2b57f946e76a7413f80b4ab5611a85362784f64f2546a740c4d1a5075
Instruction ID: b1f0621ced5c8e70a243552b76f60387d3fc5f334a4dbdc6af4aad8a30ca70fe
Opcode Fuzzy Hash: f2d4e1c2b57f946e76a7413f80b4ab5611a85362784f64f2546a740c4d1a5075
Instruction Fuzzy Hash: 3142CF71A08302DFE315CF24C64066EB7F4FF88315F905A2EF49AD6294E778D9458B92

Function 0040234F Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 134comCOMMON

Download Yara Rule

APIs

CoCreateInstance.OLE32(004089F0,?,00000001,004089D0,?,00000000,00000045,000000CD,00000002,000000DF,000000F0), ref: 004023D8

Strings

C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll, xrefs: 004024AC
C:\Users\user\AppData\Local\Anvilled, xrefs: 0040241F

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: CreateInstance
String ID: C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll$C:\Users\user\AppData\Local\Anvilled
API String ID: 542301482-1183829909
Opcode ID: b71783c70e184a6a7ddeb92b2c083ba09767801481a9076baeb437bf216bbb0d
Instruction ID: f69d0b7262b398630d4842e81ecf7832ddb853ca3a8a3f947773e47297c7f3c3
Opcode Fuzzy Hash: b71783c70e184a6a7ddeb92b2c083ba09767801481a9076baeb437bf216bbb0d
Instruction Fuzzy Hash: ED414B72204341AFC314DFA5C948A2BBBE9FF89304F10092EF695DB291DBB9D805CB16

Function 00402B75 Relevance: 1.5, APIs: 1, Instructions: 19fileCOMMON

Download Yara Rule

APIs

FindFirstFileW.KERNEL32(00000000,?,00000002), ref: 00402B85

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: FileFindFirst
String ID:
API String ID: 1974802433-0
Opcode ID: aa95f51c6264b43bf771eda4cc7eb5353e28d7212280a1e96ce165172d32d45d
Instruction ID: 674c96032337a1ae6b1bd2494ca7cf71499a5ca917b528e2f8746cac593059ec
Opcode Fuzzy Hash: aa95f51c6264b43bf771eda4cc7eb5353e28d7212280a1e96ce165172d32d45d
Instruction Fuzzy Hash: D9D0E261415250AAD260AF718A49ABA73ADAF05354F204A3EF196E20D1EABC6502932F

Function 00407235 Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fcf2038373dac2d3d8319ce80b5227dedc9fd9d207136d333b3d89b18dbcf931
Instruction ID: 0f19b20907bbe26c6374d5e5023c6d38e836cc393430afbe8d7ff324f94daeea
Opcode Fuzzy Hash: fcf2038373dac2d3d8319ce80b5227dedc9fd9d207136d333b3d89b18dbcf931
Instruction Fuzzy Hash: 36C16A71A0C3918FD364CF29C48076ABBE1FBC5300F54892EE4DA97391E678A546DB4B

Function 00403E8D Relevance: 40.5, APIs: 21, Strings: 2, Instructions: 221windowstringCOMMON

Download Yara Rule

APIs

CheckDlgButton.USER32(?,?,00000001), ref: 00403F2C
EnableWindow.USER32(?), ref: 00403F39
GetDlgItem.USER32(?,000003E8), ref: 00403F45
SendMessageW.USER32(00000000,0000045B,00000001,00000000), ref: 00403F61
GetSysColor.USER32(?), ref: 00403F72
SendMessageW.USER32(00000000,00000443,00000000,?), ref: 00403F80
SendMessageW.USER32(00000000,00000445,00000000,04010000), ref: 00403F8E
lstrlenW.KERNEL32(?), ref: 00403F94
SendMessageW.USER32(00000000,00000435,00000000,00000000), ref: 00403FA1
SendMessageW.USER32(00000000,00000449,?,?), ref: 00403FB8
GetDlgItem.USER32(?,0000040A), ref: 00404014
SendMessageW.USER32(00000000), ref: 0040401B
EnableWindow.USER32(00000000), ref: 00404038
GetDlgItem.USER32(0000004E,000003E8), ref: 0040405C
SendMessageW.USER32(00000000,0000044B,00000000,?), ref: 004040B1
LoadCursorW.USER32(00000000,00007F02), ref: 004040C3
SetCursor.USER32(00000000), ref: 004040CC

Part of subcall function 00406B08: ShellExecuteExW.SHELL32(?), ref: 00406B17

LoadCursorW.USER32(00000000,00007F00), ref: 0040410E
SetCursor.USER32(00000000), ref: 00404111
SendMessageW.USER32(00000111,00000001,00000000), ref: 0040413D
SendMessageW.USER32(00000010,00000000,00000000), ref: 00404155

Strings

|B, xrefs: 004040D6
N, xrefs: 00404048

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: MessageSend$Cursor$Item$EnableLoadWindow$ButtonCheckColorExecuteShelllstrlen
String ID: N$|B
API String ID: 3270077613-741270461
Opcode ID: 6926f728b9a4140239efee31cad9342915eb37f61d6186b76a8037dd33359e50
Instruction ID: 03ac8205f382ddc68e99412b94d7e0d93baa4fe0dd377c53b404b89af8b9d0ff
Opcode Fuzzy Hash: 6926f728b9a4140239efee31cad9342915eb37f61d6186b76a8037dd33359e50
Instruction Fuzzy Hash: F8816EB0644305AFD7109F24DD48A6B7BA8FB98344F40093EF685A72A1CB789945CB6A

Function 00401000 Relevance: 26.4, APIs: 14, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

DefWindowProcW.USER32(?,?,?,?), ref: 0040102E
BeginPaint.USER32(?,?), ref: 0040104C
GetClientRect.USER32(?,?), ref: 00401062
CreateBrushIndirect.GDI32(00000000), ref: 004010DF
FillRect.USER32(00000000,?,00000000), ref: 004010F3
DeleteObject.GDI32(00000000), ref: 004010FA
CreateFontIndirectW.GDI32(?), ref: 00401120
SetBkMode.GDI32(00000000,00000001), ref: 00401143
SetTextColor.GDI32(00000000,000000FF), ref: 0040114D
SelectObject.GDI32(00000000,00000000), ref: 0040115B
DrawTextW.USER32(00000000,00428D40,000000FF,?,00000820), ref: 00401171
SelectObject.GDI32(00000000,00000000), ref: 00401179
DeleteObject.GDI32(?), ref: 0040117F
EndPaint.USER32(?,?), ref: 0040118E

Strings

F, xrefs: 0040100A

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Object$CreateDeleteIndirectPaintRectSelectText$BeginBrushClientColorDrawFillFontModeProcWindow
String ID: F
API String ID: 941294808-1304234792
Opcode ID: 2ca4e0cb8bbe08ec02795cdb68367fd140eecc9f655486cbe37f55fdb25868c2
Instruction ID: cbd0933a51e0d69d1329980f29ca5745c9819e032560b200aac5586c4a4d24f6
Opcode Fuzzy Hash: 2ca4e0cb8bbe08ec02795cdb68367fd140eecc9f655486cbe37f55fdb25868c2
Instruction Fuzzy Hash: C541BF720083509FC7159F65CE4496FBBE9FF88715F150A2EF9D5A62A0CA34C904CFA5

Function 0040641B Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 124memorystringCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,?,?,00000000,?,00406373,?,?), ref: 00406456
GetShortPathNameW.KERNEL32(00000000,00426E78,00000400), ref: 0040645F
GetShortPathNameW.KERNEL32(?,00426678,00000400), ref: 0040647C
wsprintfA.USER32 ref: 0040649A
GetFileSize.KERNEL32(00000000,00000000,00426678,C0000000,00000004,00426678,?), ref: 004064D2
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 004064E2
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00406512
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000,00000000,00426278,00000000,-0000000A,004089A4,00000000,[Rename],00000000,00000000,00000000), ref: 00406532
GlobalFree.KERNEL32(00000000), ref: 00406544
CloseHandle.KERNEL32(00000000), ref: 0040654B

Part of subcall function 00406A30: GetFileAttributesW.KERNELBASE(00000003,004034D0,C:\Users\user\Desktop\-pdf.bat.exe,80000000,00000003), ref: 00406A34
Part of subcall function 00406A30: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000000,00000000), ref: 00406A54

Strings

xnB, xrefs: 00406431
xfB, xrefs: 00406472
[Rename], xrefs: 004064FA, 00406509
%ls=%ls, xrefs: 00406490

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShort$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]$xfB$xnB
API String ID: 2900126502-517554076
Opcode ID: ac91c1a28502f1bfb87c1199f85f6386a03c8f980d5b1fd238676458d943b8cb
Instruction ID: 0cce765fd4ac64f64f5847131bacee5d89b3958391fbe683fc7760f607864942
Opcode Fuzzy Hash: ac91c1a28502f1bfb87c1199f85f6386a03c8f980d5b1fd238676458d943b8cb
Instruction Fuzzy Hash: 7131F2B02006117AD6207B25AD49F7B3A6CEF41748F16003EF943B62D6DE7CC8128A7C

Function 00402BA3 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102memoryfileCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402C09
GlobalAlloc.KERNEL32(00000040,?,00000000,?,?,?,?,?,?,?,?,?,000000F0), ref: 00402C33
GlobalFree.KERNEL32(?), ref: 00402C7E
GlobalFree.KERNEL32(00000000), ref: 00402C94
CloseHandle.KERNEL32(00000000,?,00000000,?,?,00000000,40000000,00000002,00000000,00000000), ref: 00402CB1
DeleteFileW.KERNEL32(00000000,00000000,40000000,00000002,00000000,00000000,?,?,?,?,?,?,?,000000F0), ref: 00402CC4

Strings

C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll, xrefs: 00402CD3

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Global$AllocFree$CloseDeleteFileHandle
String ID: C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll
API String ID: 2667972263-3506212881
Opcode ID: ec2f19e7735bcee35764a1c419a37c79c0b5e252fdbd4c41f47b9c28b54a733e
Instruction ID: 074600833c42f0693f5f472c4feb87f1cd667ccf468de98b174193e6d8715b1c
Opcode Fuzzy Hash: ec2f19e7735bcee35764a1c419a37c79c0b5e252fdbd4c41f47b9c28b54a733e
Instruction Fuzzy Hash: 30310871408351AFD310AF65CE48E1FBAE8AF89754F11463EF5A1772D2C77898018B9A

Function 00406E52 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 83COMMON

Download Yara Rule

APIs

CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403DB4,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403ACC), ref: 00406EC7
CharNextW.USER32(?,?,?,00000000), ref: 00406ED6
CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403DB4,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403ACC), ref: 00406EDB
CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403DB4,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403ACC), ref: 00406EF3

Strings

*?|<>/":, xrefs: 00406EB6
Error writing temporary file. Make sure your temp folder is valid., xrefs: 00406E59
C:\Users\user~1\AppData\Local\Temp\, xrefs: 00406E52, 00406E54

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: *?|<>/":$C:\Users\user~1\AppData\Local\Temp\$Error writing temporary file. Make sure your temp folder is valid.
API String ID: 589700163-3572696228
Opcode ID: d7cee7299210071b0bd5c0c877b0836f4874a5f45daef98052a11ed8e57e76f7
Instruction ID: 678fcbdb596b78e8a7eea6de8248b36d7e838f456ea6c1a5848c0ba59b47ba4e
Opcode Fuzzy Hash: d7cee7299210071b0bd5c0c877b0836f4874a5f45daef98052a11ed8e57e76f7
Instruction Fuzzy Hash: E211F32950073559DA306B6ACC4097B62E8EF697A1316443BFACAA32C0E77D8D51D2E8

Function 0040585E Relevance: 12.1, APIs: 8, Instructions: 70COMMON

Download Yara Rule

APIs

GetWindowLongW.USER32(?,000000EB), ref: 0040587B
GetSysColor.USER32 ref: 004058B4
SetTextColor.GDI32(?), ref: 004058C7
SetBkMode.GDI32(?,?), ref: 004058D3
GetSysColor.USER32(?), ref: 004058E7
SetBkColor.GDI32(?,?), ref: 004058FD
DeleteObject.GDI32(?), ref: 00405919
CreateBrushIndirect.GDI32(?), ref: 00405923

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
Instruction ID: 853fd2a938e6063eae5099aa51e4afe06320ee8032e9b574836c5d7031c179f8
Opcode Fuzzy Hash: bf0799ea3bd6f053e04a74c3ecacf9df28762d59f89d86d460fcd2570ffda868
Instruction Fuzzy Hash: FE21D675500B04EFDB349F28DA48A5B77F4EF057607008A3DE896A26B0DB34E814CF14

Function 70442049 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129memoryCOMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 704421BF

Part of subcall function 704412E1: lstrcpynW.KERNEL32(00000000,?,7044156A,?,704411C4,-000000A0), ref: 704412F1

GlobalAlloc.KERNEL32(00000040), ref: 7044212C
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,00000000,?,00000000,00000000), ref: 7044214C

Strings

@H3w, xrefs: 7044216A

Memory Dump Source

Source File: 00000000.00000002.3782009729.0000000070441000.00000020.00000001.01000000.00000005.sdmp, Offset: 70440000, based on PE: true

Associated: 00000000.00000002.3781994438.0000000070440000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782022710.0000000070444000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782035449.0000000070446000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70440000_-pdf.jbxd

Similarity

API ID: Global$AllocByteCharFreeMultiWidelstrcpyn
String ID: @H3w
API String ID: 4216380887-4275297014
Opcode ID: 6fa4ff7eb91e2b1d829c74fc59adf9bb22ef2ef1f642814bb09ed7a3e443daa3
Instruction ID: 6225ac5fa828226255f687b4a817e7557f9cfa63deeeac9cc7057806852720c3
Opcode Fuzzy Hash: 6fa4ff7eb91e2b1d829c74fc59adf9bb22ef2ef1f642814bb09ed7a3e443daa3
Instruction Fuzzy Hash: 29414771405205EFE3019F24C984BEE7BFCFB06344FA4123DFE099A249DBB86591DAA1

Function 004033E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 51COMMON

Download Yara Rule

APIs

DestroyWindow.USER32(00000000), ref: 00403402
GetTickCount.KERNEL32 ref: 00403423
wsprintfW.USER32 ref: 00403452

Part of subcall function 00405E3D: lstrlenW.KERNEL32(00424230,C:\Users\user\Desktop,00000000,00000000), ref: 00405E6F
Part of subcall function 00405E3D: lstrlenW.KERNEL32(?,00424230,C:\Users\user\Desktop,00000000,00000000), ref: 00405E81
Part of subcall function 00405E3D: lstrcatW.KERNEL32(00424230,?,?,00424230,C:\Users\user\Desktop,00000000,00000000), ref: 00405E9C
Part of subcall function 00405E3D: SetWindowTextW.USER32(00424230,00424230), ref: 00405EB4
Part of subcall function 00405E3D: SendMessageW.USER32(?), ref: 00405EDB
Part of subcall function 00405E3D: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405EF6
Part of subcall function 00405E3D: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405F03

CreateDialogParamW.USER32(0000006F,00000000,00403747,00000000), ref: 00403479
ShowWindow.USER32(00000000,00000005), ref: 00403487

Part of subcall function 004033CB: MulDiv.KERNEL32(0003FF03,00000064,0003FF03), ref: 004033E2

Strings

... %d%%, xrefs: 0040344C

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: MessageSendWindow$lstrlen$CountCreateDestroyDialogParamShowTextTicklstrcatwsprintf
String ID: ... %d%%
API String ID: 722711167-2449383134
Opcode ID: bdd0e0c02e783bf097d4f533cddbcf0abc40fd15471b2550623dfac65dc01907
Instruction ID: f266c3144acc84abeb33af89d5a8a1b628b0ed282eaa896ec301c971e6cb58ec
Opcode Fuzzy Hash: bdd0e0c02e783bf097d4f533cddbcf0abc40fd15471b2550623dfac65dc01907
Instruction Fuzzy Hash: 50018470641204EBDB119F64FE8EB593BA8A700B0AF10443EF941F51E0DBB89548CB6C

Function 004057DD Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,0000110A,00000009,00000000), ref: 004057F6
GetMessagePos.USER32 ref: 004057FE
ScreenToClient.USER32(?,?), ref: 00405818
SendMessageW.USER32(?,00001111,00000000,?), ref: 0040582C
SendMessageW.USER32(?,0000113E,00000000,?), ref: 00405854

Strings

f, xrefs: 0040582E

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Message$Send$ClientScreen
String ID: f
API String ID: 41195575-1993550816
Opcode ID: c033d2a482c0bbee4868c7629423a8e69750951f4e6b473a84ec653bd2017e87
Instruction ID: a34ed8a21e94797a74c1091573c129874cd65debd64a168ab9176f0650f2b5a0
Opcode Fuzzy Hash: c033d2a482c0bbee4868c7629423a8e69750951f4e6b473a84ec653bd2017e87
Instruction Fuzzy Hash: 98014C7190020CBADB01EF94DD45BEEBBB9EF04710F10812AFA50BA1E0C7B49A51CF54

Function 00403747 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 36timeCOMMON

Download Yara Rule

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00403765
wsprintfW.USER32 ref: 00403795
SetWindowTextW.USER32(?,?), ref: 004037A5
SetDlgItemTextW.USER32(?,00000406,?), ref: 004037B7

Strings

verifying installer: %d%%, xrefs: 00403782
unpacking data: %d%%, xrefs: 00403788, 00403790

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: unpacking data: %d%%$verifying installer: %d%%
API String ID: 1451636040-1158693248
Opcode ID: defbe51d6f9882951ad5208393e217e44a68b2759e178f6fe88e35c9064f4801
Instruction ID: 79e04ba7ff141100257c27fc40fa1ffc2d52e87daa7d5e1ad393195e5ff21367
Opcode Fuzzy Hash: defbe51d6f9882951ad5208393e217e44a68b2759e178f6fe88e35c9064f4801
Instruction Fuzzy Hash: E0F044B0640509ABDF206F64DD46BAA3B6CAB00345F00C03EF946F50D0DFB89A559B9D

Function 70442209 Relevance: 9.1, APIs: 6, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 704412F8: GlobalAlloc.KERNEL32(00000040,?,704411C4,-000000A0), ref: 70441302

GlobalFree.KERNEL32(00000000), ref: 704422F1
GlobalFree.KERNEL32(00000000), ref: 70442326

Memory Dump Source

Source File: 00000000.00000002.3782009729.0000000070441000.00000020.00000001.01000000.00000005.sdmp, Offset: 70440000, based on PE: true

Associated: 00000000.00000002.3781994438.0000000070440000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782022710.0000000070444000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782035449.0000000070446000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70440000_-pdf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 5175ac00b7c9b015610fa8c35400606c7ac97828abd6b1be9b783d8ff7a596a8
Instruction ID: 9b2531563e342f5f37f2e1f98152bcf8f41dce8ee841f9ef5d3eab8f95228785
Opcode Fuzzy Hash: 5175ac00b7c9b015610fa8c35400606c7ac97828abd6b1be9b783d8ff7a596a8
Instruction Fuzzy Hash: 09310232200101DFF7268F65CE45B2EB7B9FB86315FA015ACF902D62A0C7B99851EB61

Function 704410C7 Relevance: 8.9, APIs: 7, Instructions: 162memoryCOMMON

Download Yara Rule

APIs

GlobalAlloc.KERNEL32(00000040,?), ref: 7044116B
GlobalFree.KERNEL32(00000000), ref: 704411AE
GlobalFree.KERNEL32(00000000), ref: 704411CD
GlobalAlloc.KERNEL32(00000040,?), ref: 704411E6
GlobalFree.KERNEL32 ref: 7044125C
GlobalFree.KERNEL32(?), ref: 704412A7
GlobalFree.KERNEL32(00000000), ref: 704412BF

Memory Dump Source

Source File: 00000000.00000002.3782009729.0000000070441000.00000020.00000001.01000000.00000005.sdmp, Offset: 70440000, based on PE: true

Associated: 00000000.00000002.3781994438.0000000070440000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782022710.0000000070444000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782035449.0000000070446000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70440000_-pdf.jbxd

Similarity

API ID: Global$Free$Alloc
String ID:
API String ID: 1780285237-0
Opcode ID: 753ac7e8ac328d0dfafe76adaae99a6264046651d83ef99760c53bc0dcd29715
Instruction ID: 426208f61c2c37099655e745fcff52f324ae772105a46ca5e211e3aedb4dc2fc
Opcode Fuzzy Hash: 753ac7e8ac328d0dfafe76adaae99a6264046651d83ef99760c53bc0dcd29715
Instruction Fuzzy Hash: 6C519D76600201DFEB10DFA9D841A2EB7B8FB4A304B30156EF946E7371DA79E901CB91

Function 0040141E Relevance: 7.6, APIs: 5, Instructions: 82registryCOMMON

Download Yara Rule

APIs

RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 00401486
RegEnumKeyW.ADVAPI32(?,00000000,?,00000105), ref: 004014D2
RegCloseKey.ADVAPI32(?), ref: 004014DC
RegDeleteKeyW.ADVAPI32(?,?), ref: 004014FB
RegCloseKey.ADVAPI32(?), ref: 00401507

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: CloseEnum$DeleteValue
String ID:
API String ID: 1354259210-0
Opcode ID: e8ddf1ba41867b4dcb0a1b51ee85c4361d4a4490657ba90a650c7ccd87fbe96b
Instruction ID: 1a53fb46a82155f82ff31744ef364dfb58a0b08b91411c266ca9c6ebac2befae
Opcode Fuzzy Hash: e8ddf1ba41867b4dcb0a1b51ee85c4361d4a4490657ba90a650c7ccd87fbe96b
Instruction Fuzzy Hash: 98218032108244BBD7219F51DD08FABBBADEF99354F02043EF989A11B0D7359A149A6A

Function 00401EEA Relevance: 7.6, APIs: 5, Instructions: 74windowCOMMON

Download Yara Rule

APIs

GetDlgItem.USER32(?,?), ref: 00401F03
GetClientRect.USER32(00000000,?), ref: 00401F4D
LoadImageW.USER32(00000000,?,00000100,?,?,00000100), ref: 00401F82
SendMessageW.USER32(00000000,00000172,00000100,00000000), ref: 00401F92
DeleteObject.GDI32(00000000), ref: 00401FA1

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: ClientDeleteImageItemLoadMessageObjectRectSend
String ID:
API String ID: 1849352358-0
Opcode ID: 82f52a09afcb0d3daa84e2303d63fc57e8106e0a43467699c9b4d0f7bcb94b74
Instruction ID: 719508abfab18efcfe9497ff31e10421c437d84cede584cdb3018339205083e7
Opcode Fuzzy Hash: 82f52a09afcb0d3daa84e2303d63fc57e8106e0a43467699c9b4d0f7bcb94b74
Instruction Fuzzy Hash: C621B372609302AFD340DF64DE84A6BB7E8EB88304F04093EF985E62A1D678D840CB59

Function 00401FB8 Relevance: 7.5, APIs: 5, Instructions: 43COMMON

Download Yara Rule

APIs

GetDC.USER32 ref: 00401FB9
GetDeviceCaps.GDI32(00000000,0000005A), ref: 00401FD0
MulDiv.KERNEL32(00000000,00000000), ref: 00401FD8
ReleaseDC.USER32(?,00000000), ref: 00401FEB

Part of subcall function 00405FBD: lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch,?,?,?,?,?,?,?,?,?,?,?,?,?,00403466), ref: 0040618F

CreateFontIndirectW.GDI32(0040C8E8), ref: 00402037

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: CapsCreateDeviceFontIndirectReleaselstrcat
String ID:
API String ID: 4253744674-0
Opcode ID: a2cb6d5a530958616e1a68da60b4d574b0b9919d37be39f7b238e4b07ad129ff
Instruction ID: 3db98f0040f9558d3034a6f543d99371bd15d147d3a645f57d18814a747c8483
Opcode Fuzzy Hash: a2cb6d5a530958616e1a68da60b4d574b0b9919d37be39f7b238e4b07ad129ff
Instruction Fuzzy Hash: DA01D472104341EFD300BBB49E4AF5A3BE8E755706F10893DF690B71E1CA784106AB2E

Function 70441F7B Relevance: 7.5, APIs: 5, Instructions: 38memorylibraryloaderCOMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000,00000000,00000808,00000000,70442B4C,00000000,00000808), ref: 70441F8C
GlobalAlloc.KERNEL32(00000040,00000000), ref: 70441F97
WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,00000000,00000000), ref: 70441FAB
GetProcAddress.KERNEL32(?,00000000), ref: 70441FB6
GlobalFree.KERNEL32(00000000), ref: 70441FBF

Memory Dump Source

Source File: 00000000.00000002.3782009729.0000000070441000.00000020.00000001.01000000.00000005.sdmp, Offset: 70440000, based on PE: true

Associated: 00000000.00000002.3781994438.0000000070440000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782022710.0000000070444000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782035449.0000000070446000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70440000_-pdf.jbxd

Similarity

API ID: ByteCharGlobalMultiWide$AddressAllocFreeProc
String ID:
API String ID: 1148316912-0
Opcode ID: 51e8ea919bf9c25c1c274b75201fd440cbe0b28d0b0db8ff2b5883e6bbcec5cb
Instruction ID: 218cdec2f344e6f46c280b6c803070ee72b871cfcc8bd802927d04ceca03dfe6
Opcode Fuzzy Hash: 51e8ea919bf9c25c1c274b75201fd440cbe0b28d0b0db8ff2b5883e6bbcec5cb
Instruction Fuzzy Hash: 8AF0AC33108118BBC6101BA7DC0CE57BE6CEBCB6FEF260225F719D11A0C9A268208771

Function 00405663 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 90stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(00421200,%u.%u%s%s,?,00000000,00000000,?,000000DC,00000000,?,000000DF,00421200,?,?,?,?,?), ref: 00405722
wsprintfW.USER32 ref: 0040572F
SetDlgItemTextW.USER32(?,00421200), ref: 00405746

Strings

%u.%u%s%s, xrefs: 0040571C

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: ItemTextlstrlenwsprintf
String ID: %u.%u%s%s
API String ID: 3540041739-3551169577
Opcode ID: c96249e9300986abb23fa76973b5aeafd7c2cead55943fec95e169e365224207
Instruction ID: 16b5fc0e536004003feacbc0b07359baea7c85987217a9a7f81b4acd8141d083
Opcode Fuzzy Hash: c96249e9300986abb23fa76973b5aeafd7c2cead55943fec95e169e365224207
Instruction Fuzzy Hash: 342106337046145BE720A9799C40FABB289C7C1364F114B3EFD6AF31D1E97A4C0885A5

Function 00401DBA Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 84windowtimeCOMMON

Download Yara Rule

APIs

SendMessageTimeoutW.USER32(?,00000000,00000000,00000000,?,?,?), ref: 00401E2C
SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00401E48

Strings

!, xrefs: 00401DF8

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: MessageSend$Timeout
String ID: !
API String ID: 1777923405-2657877971
Opcode ID: 4ac29c9cce96a64425d433324c190f698a606156d2abb8f580e7760b9a936131
Instruction ID: 69e66636fd5bd3b5647f571c9a221c10a7108a79841ed4504f027ee0874c03e8
Opcode Fuzzy Hash: 4ac29c9cce96a64425d433324c190f698a606156d2abb8f580e7760b9a936131
Instruction Fuzzy Hash: B821F471609301AFE714AF21C846A2FBBE8EF84755F00093FF585A61E0D6B99D05CA9A

Function 70441F1E Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 28stringCOMMON

Download Yara Rule

APIs

wsprintfW.USER32 ref: 70441F51
lstrcpyW.KERNEL32(?,error,00001018,70441765,00000000,?), ref: 70441F71

Strings

callback%d, xrefs: 70441F4B
error, xrefs: 70441F67, 70441F6F

Memory Dump Source

Source File: 00000000.00000002.3782009729.0000000070441000.00000020.00000001.01000000.00000005.sdmp, Offset: 70440000, based on PE: true

Associated: 00000000.00000002.3781994438.0000000070440000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782022710.0000000070444000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782035449.0000000070446000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70440000_-pdf.jbxd

Similarity

API ID: lstrcpywsprintf
String ID: callback%d$error
API String ID: 2408954437-1307476583
Opcode ID: f2adc61b2c283a6bc326ac4e0b3e2488401fee36c991f8d0388df7d6522d262b
Instruction ID: 35fea37a853b79b5369f0cebeacb5ca0bff5aead28f0c96020bc909a2c82ae23
Opcode Fuzzy Hash: f2adc61b2c283a6bc326ac4e0b3e2488401fee36c991f8d0388df7d6522d262b
Instruction Fuzzy Hash: CEF08235204110AFE3048B04D949EBE73B5EFC5310F1581A8FE4A87321C7B8AC558B51

Function 0040666B Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16stringCOMMON

Download Yara Rule

APIs

lstrlenW.KERNEL32(?,C:\Users\user~1\AppData\Local\Temp\,00403DC6,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403ACC), ref: 00406671
CharPrevW.USER32(?,00000000), ref: 0040667C
lstrcatW.KERNEL32(?,004082B0), ref: 0040668E

Strings

C:\Users\user~1\AppData\Local\Temp\, xrefs: 0040666B

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\
API String ID: 2659869361-2382934351
Opcode ID: af0f29ec3e00eb9cb7465e170f069c3d07ca18caf44beac98ff2055d579f65ee
Instruction ID: e53bcaeb2a9d501c079122a7a30c9a72ba2c4e071b5cbc1f188cd12783ca4c41
Opcode Fuzzy Hash: af0f29ec3e00eb9cb7465e170f069c3d07ca18caf44beac98ff2055d579f65ee
Instruction Fuzzy Hash: A4D01731102A24EBC2025B549E0899B76ACAF46301305446AF982A2160CB78295287FD

Function 70441CC7 Relevance: 6.2, APIs: 4, Instructions: 209COMMON

Download Yara Rule

APIs

GlobalFree.KERNEL32(00000000), ref: 70441D37
GlobalFree.KERNEL32(?), ref: 70441DF2
GlobalFree.KERNEL32(00000000), ref: 70441DF5
__alldvrm.LIBCMT ref: 70441E2F

Memory Dump Source

Source File: 00000000.00000002.3782009729.0000000070441000.00000020.00000001.01000000.00000005.sdmp, Offset: 70440000, based on PE: true

Associated: 00000000.00000002.3781994438.0000000070440000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782022710.0000000070444000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000000.00000002.3782035449.0000000070446000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_70440000_-pdf.jbxd

Similarity

API ID: FreeGlobal$__alldvrm
String ID:
API String ID: 482422042-0
Opcode ID: 64234e56f52b44a60cdad566243ab5d1ca34b3de13cdbb4cbd229f7d89d51595
Instruction ID: 382c3e9e1d27bf23e4dcc55b4436ecc7e56089029d4e95019a3972138a18a665
Opcode Fuzzy Hash: 64234e56f52b44a60cdad566243ab5d1ca34b3de13cdbb4cbd229f7d89d51595
Instruction Fuzzy Hash: 7A5116F6B043458EF3069E75898057E76FAABC9244B30692DF543C3374E6ADEC868252

Function 0040285F Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 70stringCOMMON

Download Yara Rule

APIs

lstrlenA.KERNEL32(C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll), ref: 004028B9

Strings

C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll, xrefs: 00402870, 0040288F, 004028AA, 004028B8, 00402905
C:\Users\user~1\AppData\Local\Temp\nsk89.tmp, xrefs: 004028AB

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: lstrlen
String ID: C:\Users\user~1\AppData\Local\Temp\nsk89.tmp$C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll
API String ID: 1659193697-301176501
Opcode ID: 387afe5f2ee94bb6b8344b757808788b15e5643010adbc636527a30c9f2b8f3a
Instruction ID: b2a1b44c32654855d82a94df603f8ab0089ff69422b0f6d19ee8e4250137a66d
Opcode Fuzzy Hash: 387afe5f2ee94bb6b8344b757808788b15e5643010adbc636527a30c9f2b8f3a
Instruction Fuzzy Hash: C6110676A4431167C314EB619D8592FB7D4AF84314F55843FF545B21C1D7BC980683AF

Function 00402077 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 54COMMON

Download Yara Rule

APIs

Part of subcall function 00405E3D: lstrlenW.KERNEL32(00424230,C:\Users\user\Desktop,00000000,00000000), ref: 00405E6F
Part of subcall function 00405E3D: lstrlenW.KERNEL32(?,00424230,C:\Users\user\Desktop,00000000,00000000), ref: 00405E81
Part of subcall function 00405E3D: lstrcatW.KERNEL32(00424230,?,?,00424230,C:\Users\user\Desktop,00000000,00000000), ref: 00405E9C
Part of subcall function 00405E3D: SetWindowTextW.USER32(00424230,00424230), ref: 00405EB4
Part of subcall function 00405E3D: SendMessageW.USER32(?), ref: 00405EDB
Part of subcall function 00405E3D: SendMessageW.USER32(?,0000104D,00000000,?), ref: 00405EF6
Part of subcall function 00405E3D: SendMessageW.USER32(?,00001013,00000000,00000000), ref: 00405F03

Part of subcall function 00406B08: ShellExecuteExW.SHELL32(?), ref: 00406B17

Part of subcall function 00406629: WaitForSingleObject.KERNEL32(?,00000064), ref: 00406633
Part of subcall function 00406629: GetExitCodeProcess.KERNEL32(?,?), ref: 0040665D

CloseHandle.KERNEL32(?,?), ref: 00402110

Strings

C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll, xrefs: 00402098
@, xrefs: 004020F2
C:\Users\user\AppData\Local\Anvilled, xrefs: 004020D1

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: MessageSend$lstrlen$CloseCodeExecuteExitHandleObjectProcessShellSingleTextWaitWindowlstrcat
String ID: @$C:\Users\user~1\AppData\Local\Temp\nsk89.tmp\System.dll$C:\Users\user\AppData\Local\Anvilled
API String ID: 4079680657-1872613119
Opcode ID: aa7ec03ee00d28e014fa6505370972872b830a8762c26e593078ae465e74a0c3
Instruction ID: eb73de0908827afac095caf57cdf6eb37e5abf97a1b8575dd1b675aa20df7b67
Opcode Fuzzy Hash: aa7ec03ee00d28e014fa6505370972872b830a8762c26e593078ae465e74a0c3
Instruction Fuzzy Hash: E9118C72A083809BC710EFA2C94561ABBE9BF84345F40493EF595A72D1DBB98805CB4A

Function 0040674D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00406C2F: lstrcpynW.KERNEL32(?,?,00000400,00403979,00428D40,NSIS Error), ref: 00406C3C

Part of subcall function 00406CDA: CharNextW.USER32(?,?,?,00000000,00425A78,00406764,00425A78,00425A78,00000000,?,?,00406850,?,00000000,771B3420,00000000), ref: 00406CE9
Part of subcall function 00406CDA: CharNextW.USER32(00000000), ref: 00406CEE
Part of subcall function 00406CDA: CharNextW.USER32(00000000), ref: 00406D08

Part of subcall function 00406E52: CharNextW.USER32(?,*?|<>/":,00000000,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403DB4,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403ACC), ref: 00406EC7
Part of subcall function 00406E52: CharNextW.USER32(?,?,?,00000000), ref: 00406ED6
Part of subcall function 00406E52: CharNextW.USER32(?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403DB4,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403ACC), ref: 00406EDB
Part of subcall function 00406E52: CharPrevW.USER32(?,?,Error writing temporary file. Make sure your temp folder is valid.,C:\Users\user~1\AppData\Local\Temp\,00000000,C:\Users\user~1\AppData\Local\Temp\,00403DB4,C:\Users\user~1\AppData\Local\Temp\,771B3420,00403ACC), ref: 00406EF3

lstrlenW.KERNEL32(00425A78,00000000,00425A78,00425A78,00000000,?,?,00406850,?,00000000,771B3420,00000000), ref: 004067A1
GetFileAttributesW.KERNEL32(00425A78,00425A78), ref: 004067B2

Part of subcall function 004066E4: FindFirstFileW.KERNELBASE(00000000,00427678,00000000,00406791,00425A78), ref: 004066EF
Part of subcall function 004066E4: FindClose.KERNEL32(00000000), ref: 004066FB

Strings

xZB, xrefs: 00406753

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Char$Next$FileFind$AttributesCloseFirstPrevlstrcpynlstrlen
String ID: xZB
API String ID: 1879705256-2099606936
Opcode ID: 5800bf596dedfe38e5e8e205addafa35088b03d9a536258e662f59f23e937245
Instruction ID: 2db780cc6ff4cd725acbdd47cdb002ba9ae4a6237b2c335b3197585fa2333bb0
Opcode Fuzzy Hash: 5800bf596dedfe38e5e8e205addafa35088b03d9a536258e662f59f23e937245
Instruction Fuzzy Hash: 41F0816111462159D62123754E8852B55588E0576D75B4E3FFCA3F32D3CA3CCD35917C

Function 00406A8C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47registryCOMMON

Download Yara Rule

APIs

RegQueryValueExW.ADVAPI32(?,00424230,00000000,?,00000000,00000800,?,00000800,?,?,?,Call,00000000,00000000,?,004060BE), ref: 00406AD3
RegCloseKey.ADVAPI32(?), ref: 00406ADE

Strings

Call, xrefs: 00406A91

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: 06b5c5a8a77114971240aaeb66a1a7ac0d855d789a2ba5ec2246048785c8eebf
Instruction ID: 34caf82e5ea4c281413b850cd147b84363d63a2aa5d54ac32b4bcbe0ea44b894
Opcode Fuzzy Hash: 06b5c5a8a77114971240aaeb66a1a7ac0d855d789a2ba5ec2246048785c8eebf
Instruction Fuzzy Hash: 91014C7651010ABADF218FA4DD0AADF7BF8EF45344F114136B802E2160D274EA64DBA4

Function 004059D3 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45windowCOMMON

Download Yara Rule

APIs

IsWindowVisible.USER32(?), ref: 00405A07
CallWindowProcW.USER32(?,?,?,?), ref: 00405A4F

Part of subcall function 004055EB: SendMessageW.USER32(?,00000000,00000000,00000000), ref: 004055FD

Strings

, xrefs: 004059E8

Memory Dump Source

Source File: 00000000.00000002.3780115547.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000000.00000002.3780099356.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780131246.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000427000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.000000000042E000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780144711.0000000000434000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000044E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000450000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.000000000048E000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.3780238905.0000000000490000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_400000_-pdf.jbxd

Similarity

API ID: Window$CallMessageProcSendVisible
String ID:
API String ID: 3748168415-3916222277
Opcode ID: 8bed61b20fc1319d828832d96cd2df9170cc440e4b5382bb1eccda39d0ccd4f6
Instruction ID: 3928be96b0bb21ea01fbc6d57ea2e9352dbda775cb9ee4e874704f653b680fb1
Opcode Fuzzy Hash: 8bed61b20fc1319d828832d96cd2df9170cc440e4b5382bb1eccda39d0ccd4f6
Instruction Fuzzy Hash: D9018F35700908EBDF309F55EC85A9B3A26EB88765F004237FA04B61D1C7798892DEAD

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Active Directory: Active Directory Object Modification, Command: Command Execution, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, User Account: User Account Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine or network device. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer or network device via Network Device CLI (e.g. `reload` ).
Tactics:	Impact
Data Sources:	Command: Command Execution, Process: Process Creation, Sensor Health: Host Status
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report -pdf.bat.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Anvilled\Baadehavnes.Ugo

C:\Users\user\AppData\Local\Anvilled\Martyrizations.Sim

C:\Users\user\AppData\Local\Anvilled\Opsamlingsbeholdere119.bes

C:\Users\user\AppData\Local\Anvilled\ammunitionsfabrikken.txt

C:\Users\user\AppData\Local\Anvilled\teleph.all

C:\Users\user\AppData\Local\Temp\nsbF5BA.tmp

C:\Users\user\AppData\Local\Temp\nsk89.tmp\System.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

UDP Packets

DNS Answers

Statistics

Windows Analysis Report
-pdf.bat.exe

Function 00403804 Relevance: 87.9, APIs: 32, Strings: 18, Instructions: 416
stringfilecomCOMMON

Function 00404C33 Relevance: 54.3, APIs: 36, Instructions: 295
windowclipboardmemoryCOMMON

Function 0040682E Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 155
filestringCOMMON

Function 00405095 Relevance: 52.9, APIs: 35, Instructions: 374
windowstringCOMMON

Function 00405B41 Relevance: 42.2, APIs: 13, Strings: 11, Instructions: 225
stringregistryCOMMON

Function 0040154A Relevance: 37.2, APIs: 17, Strings: 4, Instructions: 441
stringtimesleepCOMMON

Function 0040348F Relevance: 24.7, APIs: 5, Strings: 9, Instructions: 200
memoryCOMMON

Function 00405E3D Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 76
stringwindowCOMMON

Function 00405FBD Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 216
stringCOMMON

Function 0040291D Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 166
fileCOMMON

Function 004062B3 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 00406B6B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 35
COMMON

Function 0040225D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 81
libraryCOMMON

Function 00402656 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 77
registrystringCOMMON

Function 004069FB Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18
libraryloaderCOMMON