Windows Analysis Report
rPO50018137-14_pdf.exe

Overview

General Information

Sample name: rPO50018137-14_pdf.exe
Analysis ID: 1432251
MD5: 7f3495645a47fbe0aed3b69518af96c3
SHA1: 91a01966c9007daed292e9a7fcacc29cac90abe9
SHA256: ebf3c83dc7467d503cf0ad20f47b4042dbefb543eae593e605a17cec9e8f3953
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla, PureLog Stealer, RedLine
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AgentTesla
Yara detected PureLog Stealer
Yara detected RedLine Stealer
.NET source code contains method to dynamically call methods (often used by packers)
Binary is likely a compiled AutoIt script file
C2 URLs / IPs found in malware configuration
Contains functionality to log keystrokes (.Net Source)
Found API chain indicative of sandbox detection
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Installs a global keyboard hook
Machine Learning detection for sample
Maps a DLL or memory area into another process
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to communicate with device drivers
Contains functionality to dynamically determine API calls
Contains functionality to execute programs as a different user
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Contains functionality to modify clipboard data
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
OS version to string mapping found (often used in BOTs)
Potential key logger detected (key state polling based)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla
Name Description Attribution Blogpost URLs Link
RedLine Stealer RedLine Stealer is a malware available on underground forums for sale apparently as standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

AV Detection
barindex
Found malware configuration
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "mail.musabody.com", "Username": "victoria@musabody.com", "Password": "MUSAbody_victoria2018"}
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack Malware Configuration Extractor: RedLine {"C2 url": ["mail.musabody.com"]}
Multi AV Scanner detection for submitted file
Source: rPO50018137-14_pdf.exe ReversingLabs: Detection: 68%
Source: rPO50018137-14_pdf.exe Virustotal: Detection: 55% Perma Link
Machine Learning detection for sample
Source: rPO50018137-14_pdf.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: rPO50018137-14_pdf.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Source: Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb, source: ctsdvwT.exe, 00000003.00000000.2183382928.00000000009B2000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.2.dr
Source: Binary string: wntdll.pdbUGP source: rPO50018137-14_pdf.exe, 00000000.00000003.2050281568.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, rPO50018137-14_pdf.exe, 00000000.00000003.2050105107.0000000003500000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: rPO50018137-14_pdf.exe, 00000000.00000003.2050281568.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, rPO50018137-14_pdf.exe, 00000000.00000003.2050105107.0000000003500000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: ctsdvwT.exe, 00000003.00000000.2183382928.00000000009B2000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.2.dr
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_004DDBBE
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004AC2A2 FindFirstFileExW, 0_2_004AC2A2
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E68EE FindFirstFileW,FindClose, 0_2_004E68EE
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_004E698F
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_004DD076
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_004DD3A9
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_004E9642
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_004E979D
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_004E9B2B
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E5C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_004E5C97

Networking
barindex
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: mail.musabody.com
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49715 -> 108.167.140.123:587
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49715 -> 108.167.140.123:587
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004ECE44 InternetReadFile,SetEvent,GetLastError,SetEvent, 0_2_004ECE44
Source: global traffic DNS traffic detected: DNS query: mail.musabody.com
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003485000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4516804311.0000000003495000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4516804311.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4516804311.000000000349B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://mail.musabody.com
Source: RegSvcs.exe, 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://account.dyn.com/

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Contains functionality to log keystrokes (.Net Source)
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, POq2Ux.cs .Net Code: _4H57oeN1J
Installs a global keyboard hook
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Windows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Jump to behavior
Contains functionality for read data from the clipboard
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_004EEAFF
Contains functionality to modify clipboard data
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004EED6A OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,OpenClipboard,EmptyClipboard,SetClipboardData,CloseClipboard, 0_2_004EED6A
Contains functionality to read the clipboard data
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004EEAFF OpenClipboard,IsClipboardFormatAvailable,IsClipboardFormatAvailable,GetClipboardData,CloseClipboard,GlobalLock,CloseClipboard,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,GlobalUnlock,IsClipboardFormatAvailable,GetClipboardData,GlobalLock,DragQueryFileW,DragQueryFileW,DragQueryFileW,GlobalUnlock,CountClipboardFormats,CloseClipboard, 0_2_004EEAFF
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004DAA57 GetKeyboardState,SetKeyboardState,PostMessageW,SendInput, 0_2_004DAA57
Creates a window with clipboard capturing capabilities
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Potential key logger detected (key state polling based)
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00509576 DefDlgProcW,SendMessageW,GetWindowLongW,SendMessageW,SendMessageW,GetKeyState,GetKeyState,GetKeyState,SendMessageW,GetKeyState,SendMessageW,SendMessageW,SendMessageW,ImageList_SetDragCursorImage,ImageList_BeginDrag,SetCapture,ClientToScreen,ImageList_DragEnter,InvalidateRect,ReleaseCapture,GetCursorPos,ScreenToClient,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,SendMessageW,GetCursorPos,ScreenToClient,GetParent,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,SendMessageW,SendMessageW,ClientToScreen,TrackPopupMenuEx,GetWindowLongW, 0_2_00509576
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BD7F50 GetKeyState,GetKeyState,GetKeyState, 2_2_06BD7F50

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 2.2.RegSvcs.exe.4406458.4.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 0.2.rPO50018137-14_pdf.exe.1810000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.4405570.3.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.4453590.5.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5850000.7.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5850ee8.6.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5850000.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.303f236.2.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.304011e.1.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.4405570.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 2.2.RegSvcs.exe.303f236.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000000.00000002.2053515910.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.4515158495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects RedLine infostealer Author: ditekSHen
Source: 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Binary is likely a compiled AutoIt script file
Source: rPO50018137-14_pdf.exe String found in binary or memory: This is a third-party compiled AutoIt script.
Source: rPO50018137-14_pdf.exe, 00000000.00000002.2052503296.0000000000532000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: This is a third-party compiled AutoIt script. memstr_aa08bd05-4
Source: rPO50018137-14_pdf.exe, 00000000.00000002.2052503296.0000000000532000.00000002.00000001.01000000.00000003.sdmp String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_cc5ed599-b
Source: rPO50018137-14_pdf.exe String found in binary or memory: This is a third-party compiled AutoIt script. memstr_affd74db-0
Source: rPO50018137-14_pdf.exe String found in binary or memory: AnyArabicArmenianAvestanBalineseBamumBassa_VahBatakBengaliBopomofoBrahmiBrailleBugineseBuhidCCanadian_AboriginalCarianCaucasian_AlbanianCcCfChakmaChamCherokeeCnCoCommonCopticCsCuneiformCypriotCyrillicDeseretDevanagariDuployanEgyptian_HieroglyphsElbasanEthiopicGeorgianGlagoliticGothicGranthaGreekGujaratiGurmukhiHanHangulHanunooHebrewHiraganaImperial_AramaicInheritedInscriptional_PahlaviInscriptional_ParthianJavaneseKaithiKannadaKatakanaKayah_LiKharoshthiKhmerKhojkiKhudawadiLL&LaoLatinLepchaLimbuLinear_ALinear_BLisuLlLmLoLtLuLycianLydianMMahajaniMalayalamMandaicManichaeanMcMeMeetei_MayekMende_KikakuiMeroitic_CursiveMeroitic_HieroglyphsMiaoMnModiMongolianMroMyanmarNNabataeanNdNew_Tai_LueNkoNlNoOghamOl_ChikiOld_ItalicOld_North_ArabianOld_PermicOld_PersianOld_South_ArabianOld_TurkicOriyaOsmanyaPPahawh_HmongPalmyrenePau_Cin_HauPcPdPePfPhags_PaPhoenicianPiPoPsPsalter_PahlaviRejangRunicSSamaritanSaurashtraScSharadaShavianSiddhamSinhalaSkSmSoSora_SompengSundaneseSyloti_NagriSyriacTagalogTagbanwaTai_LeTai_ThamTai_VietTakriTamilTeluguThaanaThaiTibetanTifinaghTirhutaUgariticVaiWarang_CitiXanXpsXspXucXwdYiZZlZpZsSDSOFTWARE\Classes\\CLSID\\\IPC$This is a third-party compiled AutoIt script."runasError allocating memory.SeAssignPrimaryTokenPrivilegeSeIncreaseQuotaPrivilegeSeBackupPrivilegeSeRestorePrivilegewinsta0defaultwinsta0\defaultComboBoxListBoxSHELLDLL_DefViewlargeiconsdetailssmalliconslistCLASSCLASSNNREGEXPCLASSIDNAMEXYWHINSTANCETEXT%s%u%s%dLAST[LASTACTIVE[ACTIVEHANDLE=[HANDLE:REGEXP=[REGEXPTITLE:CLASSNAME=[CLASS:ALL[ALL]HANDLEREGEXPTITLETITLEThumbnailClassAutoIt3GUIContainer memstr_039efdbf-4
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: rPO50018137-14_pdf.exe
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004DD5EB: CreateFileW,DeviceIoControl,CloseHandle, 0_2_004DD5EB
Contains functionality to launch a process as a different user
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_004D1201
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004DE8F6 ExitWindowsEx,InitiateSystemShutdownExW,SetSystemPowerState, 0_2_004DE8F6
Detected potential crypto function
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_0047BF40 0_2_0047BF40
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E2046 0_2_004E2046
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00478060 0_2_00478060
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004D8298 0_2_004D8298
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004AE4FF 0_2_004AE4FF
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004A676B 0_2_004A676B
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00504873 0_2_00504873
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_0047CAF0 0_2_0047CAF0
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_0049CAA0 0_2_0049CAA0
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_0048CC39 0_2_0048CC39
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004A6DD9 0_2_004A6DD9
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_0048B119 0_2_0048B119
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004791C0 0_2_004791C0
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00491394 0_2_00491394
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00491706 0_2_00491706
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_0049781B 0_2_0049781B
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_0048997D 0_2_0048997D
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00477920 0_2_00477920
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004919B0 0_2_004919B0
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00497A4A 0_2_00497A4A
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00491C77 0_2_00491C77
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004C3CD2 0_2_004C3CD2
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00497CA7 0_2_00497CA7
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004FBE44 0_2_004FBE44
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004A9EEE 0_2_004A9EEE
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00491F32 0_2_00491F32
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00B53660 0_2_00B53660
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00408C60 2_2_00408C60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0040DC11 2_2_0040DC11
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00407C3F 2_2_00407C3F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00418CCC 2_2_00418CCC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00406CA0 2_2_00406CA0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004028B0 2_2_004028B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0041A4BE 2_2_0041A4BE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00418244 2_2_00418244
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00401650 2_2_00401650
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00402F20 2_2_00402F20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004193C4 2_2_004193C4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00418788 2_2_00418788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00402F89 2_2_00402F89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00402B90 2_2_00402B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004073A0 2_2_004073A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0317CE38 2_2_0317CE38
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0317DA50 2_2_0317DA50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_03170FD0 2_2_03170FD0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_031712D8 2_2_031712D8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0317D180 2_2_0317D180
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_03171030 2_2_03171030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06A6C2A8 2_2_06A6C2A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06A67BC0 2_2_06A67BC0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06A6B4F8 2_2_06A6B4F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06A64878 2_2_06A64878
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06A6D3B8 2_2_06A6D3B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06A6A4F5 2_2_06A6A4F5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06A60007 2_2_06A60007
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06A60040 2_2_06A60040
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06A912DC 2_2_06A912DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06A932B0 2_2_06A932B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BD9360 2_2_06BD9360
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BD58A8 2_2_06BD58A8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BD10D0 2_2_06BD10D0
Found potential string decryption / allocating functions
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: String function: 0040E1D8 appears 44 times
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: String function: 00490A30 appears 46 times
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: String function: 0048F9F2 appears 40 times
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: String function: 00479CB3 appears 31 times
Sample file is different than original file name gathered from version info
Source: rPO50018137-14_pdf.exe, 00000000.00000003.2050715619.00000000037CD000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs rPO50018137-14_pdf.exe
Source: rPO50018137-14_pdf.exe, 00000000.00000002.2053515910.0000000001810000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilename24eacbb4-825a-4768-ad59-21c6c6ffb60d.exe4 vs rPO50018137-14_pdf.exe
Source: rPO50018137-14_pdf.exe, 00000000.00000003.2049230816.0000000003623000.00000004.00001000.00020000.00000000.sdmp Binary or memory string: OriginalFilenamentdll.dllj% vs rPO50018137-14_pdf.exe
Uses 32bit PE files
Source: rPO50018137-14_pdf.exe Static PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
Yara signature match
Source: 2.2.RegSvcs.exe.4406458.4.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 0.2.rPO50018137-14_pdf.exe.1810000.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.4405570.3.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.4453590.5.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5850000.7.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5850ee8.6.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5850000.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.303f236.2.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.304011e.1.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.4405570.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.303f236.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000000.00000002.2053515910.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.4515158495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY Matched rule: MALWARE_Win_RedLine snort2_sid = 920072-920073, author = ditekSHen, description = Detects RedLine infostealer, clamav_sig = MALWARE.Win.Trojan.RedLine-1, MALWARE.Win.Trojan.RedLine-2, snort3_sid = 920072-920073
Source: 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, ZTFEpdjP8zw.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, WnRNxU.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, 2njIk.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, I5ElxL.cs Cryptographic APIs: 'CreateDecryptor', 'TransformBlock'
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, QQSiOsa4hPS.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, FdHU4eb83Z7.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs Cryptographic APIs: 'CreateDecryptor'
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, 3VzYbXLJt4.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, 3VzYbXLJt4.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, 3VzYbXLJt4.cs Cryptographic APIs: 'TransformFinalBlock'
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, 3VzYbXLJt4.cs Cryptographic APIs: 'TransformFinalBlock'
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@7/8@1/1
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E37B5 GetLastError,FormatMessageW, 0_2_004E37B5
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004D10BF AdjustTokenPrivileges,CloseHandle, 0_2_004D10BF
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004D16C3 LookupPrivilegeValueW,AdjustTokenPrivileges,GetLastError, 0_2_004D16C3
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E51CD SetErrorMode,GetDiskFreeSpaceExW,SetErrorMode, 0_2_004E51CD
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004FA67C CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle, 0_2_004FA67C
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E648E _wcslen,CoInitialize,CoCreateInstance,CoUninitialize, 0_2_004E648E
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004742A2 CreateStreamOnHGlobal,FindResourceExW,LoadResource,SizeofResource,LockResource, 0_2_004742A2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\ctsdvwT Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5320:120:WilError_03
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe File created: C:\Users\user\AppData\Local\Temp\aut47B0.tmp Jump to behavior
Source: rPO50018137-14_pdf.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: RegSvcs.exe, 00000002.00000002.4516804311.000000000354C000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4516804311.000000000355F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: rPO50018137-14_pdf.exe ReversingLabs: Detection: 68%
Source: rPO50018137-14_pdf.exe Virustotal: Detection: 55%
Source: unknown Process created: C:\Users\user\Desktop\rPO50018137-14_pdf.exe "C:\Users\user\Desktop\rPO50018137-14_pdf.exe"
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rPO50018137-14_pdf.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe "C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe"
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rPO50018137-14_pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: rPO50018137-14_pdf.exe Static file information: File size 1207808 > 1048576
Source: rPO50018137-14_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: rPO50018137-14_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: rPO50018137-14_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: rPO50018137-14_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: rPO50018137-14_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: rPO50018137-14_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
Source: rPO50018137-14_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: _.pdb source: RegSvcs.exe, 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, RegSvcs.exe, 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb, source: ctsdvwT.exe, 00000003.00000000.2183382928.00000000009B2000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.2.dr
Source: Binary string: wntdll.pdbUGP source: rPO50018137-14_pdf.exe, 00000000.00000003.2050281568.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, rPO50018137-14_pdf.exe, 00000000.00000003.2050105107.0000000003500000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: wntdll.pdb source: rPO50018137-14_pdf.exe, 00000000.00000003.2050281568.00000000036A0000.00000004.00001000.00020000.00000000.sdmp, rPO50018137-14_pdf.exe, 00000000.00000003.2050105107.0000000003500000.00000004.00001000.00020000.00000000.sdmp
Source: Binary string: RegSvcs.pdb source: ctsdvwT.exe, 00000003.00000000.2183382928.00000000009B2000.00000002.00000001.01000000.00000007.sdmp, ctsdvwT.exe.2.dr
Source: rPO50018137-14_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: rPO50018137-14_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: rPO50018137-14_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: rPO50018137-14_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: rPO50018137-14_pdf.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Data Obfuscation
barindex
.NET source code contains method to dynamically call methods (often used by packers)
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs .Net Code: typeof(Marshal).GetMethod("GetDelegateForFunctionPointer", new Type[2]{typeof(IntPtr),typeof(Type)})
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_004742DE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00490A76 push ecx; ret 0_2_00490A89
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0041C40C push cs; iretd 2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00423149 push eax; ret 2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0041C50E push cs; iretd 2_2_0041C4E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004231C8 push eax; ret 2_2_00423179
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0040E21D push ecx; ret 2_2_0040E230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0041C6BE push ebx; ret 2_2_0041C6BF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_03174360 push edx; iretd 2_2_03174363
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_03174392 push ds; iretd 2_2_03174397
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06A970C3 pushfd ; retf 2_2_06A970C5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06A9B981 push es; ret 2_2_06A9B990
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BD36A1 push es; ret 2_2_06BD36B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_06BD31AC push es; retf 2_2_06BD31B4
Source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'g44dtxcbPerR9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'g44dtxcbPerR9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'g44dtxcbPerR9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'g44dtxcbPerR9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, WP6RZJql8gZrNhVA9v.cs High entropy of concatenated method names: 'G9skPDgcXb', 'KDikMXewCI', 'B2XkaLi4dH', 'hx5kqNgSj4', 'TVtkAMaqpL', 'VDqkQKyKML', 'g44dtxcbPerR9', 'ab9oDe4UH3', 'TAOohhiP7R', 'zDKosecjaB'
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File created: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwT Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ctsdvwT Jump to behavior

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_0048F98E GetForegroundWindow,FindWindowW,IsIconic,ShowWindow,SetForegroundWindow,GetWindowThreadProcessId,GetWindowThreadProcessId,GetCurrentThreadId,GetWindowThreadProcessId,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput,SetForegroundWindow,MapVirtualKeyW,MapVirtualKeyW,keybd_event,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,MapVirtualKeyW,keybd_event,SetForegroundWindow,AttachThreadInput,AttachThreadInput,AttachThreadInput,AttachThreadInput, 0_2_0048F98E
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00501C41 IsWindowVisible,IsWindowEnabled,GetForegroundWindow,IsIconic,IsZoomed, 0_2_00501C41
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Found API chain indicative of sandbox detection
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Sandbox detection routine: GetForegroundWindow, DecisionNode, Sleep
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Memory allocated: 2990000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Memory allocated: 2B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Memory allocated: 4B50000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Memory allocated: 2010000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Memory allocated: 2210000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Memory allocated: 2010000 memory reserve | memory write watch Jump to behavior
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 2_2_004019F0
Contains long sleeps (>= 3 min)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399827 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399597 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399460 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399268 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399147 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398593 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397935 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397390 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397280 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396952 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396790 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395464 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395358 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395227 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394465 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393373 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2392937 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 3461 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Window / User API: threadDelayed 6390 Jump to behavior
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe API coverage: 3.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 6420 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe TID: 2136 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004DDBBE lstrlenW,GetFileAttributesW,FindFirstFileW,FindClose, 0_2_004DDBBE
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004AC2A2 FindFirstFileExW, 0_2_004AC2A2
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E68EE FindFirstFileW,FindClose, 0_2_004E68EE
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E698F FindFirstFileW,FindClose,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToLocalFileTime,FileTimeToSystemTime,FileTimeToSystemTime,FileTimeToSystemTime, 0_2_004E698F
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004DD076 FindFirstFileW,DeleteFileW,DeleteFileW,MoveFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_004DD076
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004DD3A9 FindFirstFileW,DeleteFileW,FindNextFileW,FindClose,FindClose, 0_2_004DD3A9
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E9642 SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,GetFileAttributesW,SetFileAttributesW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_004E9642
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E979D SetCurrentDirectoryW,FindFirstFileW,FindFirstFileW,FindNextFileW,FindClose,FindFirstFileW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,FindNextFileW,FindClose,FindClose, 0_2_004E979D
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E9B2B FindFirstFileW,Sleep,FindNextFileW,FindClose, 0_2_004E9B2B
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E5C97 FindFirstFileW,FindNextFileW,FindClose, 0_2_004E5C97
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_004742DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2400000 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399827 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399718 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399597 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399460 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399268 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399147 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2399031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398593 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398375 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2398047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397935 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397828 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397719 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397609 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397500 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397390 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397280 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397172 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2397062 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396952 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2396790 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395464 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395358 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395227 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2395094 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394968 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394859 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394578 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394465 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394359 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394250 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394140 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2394031 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393922 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393812 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393703 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393594 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393484 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393373 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393265 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393156 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2393047 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Thread delayed: delay time: 2392937 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: RegSvcs.exe, 00000002.00000002.4518535394.0000000005D92000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllU
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe API call chain: ExitProcess graph end node
Contains functionality to block mouse and keyboard input (often used to hinder debugging)
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004EEAA2 BlockInput, 0_2_004EEAA2
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004A2622
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004019F0 OleInitialize,_getenv,GetCurrentProcessId,CreateToolhelp32Snapshot,Module32First,CloseHandle,Module32Next,Module32Next,FindCloseChangeNotification,GetModuleHandleA,FindResourceA,LoadResource,LockResource,SizeofResource,_malloc,_memset,SizeofResource,_memset,FreeResource,_malloc,SizeofResource,_memset,LoadLibraryA,GetProcAddress,VariantInit,VariantInit,VariantInit,SafeArrayCreate,SafeArrayAccessData,SafeArrayUnaccessData,SafeArrayDestroy,SafeArrayCreateVector,VariantClear,VariantClear,VariantClear, 2_2_004019F0
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_004742DE
Contains functionality to read the PEB
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00494CE8 mov eax, dword ptr fs:[00000030h] 0_2_00494CE8
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00B534F0 mov eax, dword ptr fs:[00000030h] 0_2_00B534F0
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00B53550 mov eax, dword ptr fs:[00000030h] 0_2_00B53550
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00B51ED0 mov eax, dword ptr fs:[00000030h] 0_2_00B51ED0
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_004D0B62
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004A2622 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_004A2622
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_0049083F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_0049083F
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004909D5 SetUnhandledExceptionFilter, 0_2_004909D5
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00490C21 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 0_2_00490C21
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0040CE09 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040CE09
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_0040E61C _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 2_2_0040E61C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_00416F6A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 2_2_00416F6A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: 2_2_004123F1 SetUnhandledExceptionFilter, 2_2_004123F1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Maps a DLL or memory area into another process
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Section loaded: NULL target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe protection: execute and read and write Jump to behavior
Writes to foreign memory regions
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 115D008 Jump to behavior
Contains functionality to execute programs as a different user
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004D1201 LogonUserW,DuplicateTokenEx,CloseHandle,OpenWindowStationW,GetProcessWindowStation,SetProcessWindowStation,OpenDesktopW,_wcslen,LoadUserProfileW,CreateEnvironmentBlock,CreateProcessAsUserW,UnloadUserProfile,GetProcessHeap,HeapFree,CloseWindowStation,CloseDesktop,SetProcessWindowStation,CloseHandle,DestroyEnvironmentBlock, 0_2_004D1201
Contains functionality to launch a program with higher privileges
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004B2BA5 SetCurrentDirectoryW,GetForegroundWindow,ShellExecuteW, 0_2_004B2BA5
Contains functionality to simulate keystroke presses
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004DB226 SendInput,keybd_event, 0_2_004DB226
Contains functionality to simulate mouse events
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004F22DA GetForegroundWindow,GetDesktopWindow,GetWindowRect,mouse_event,GetCursorPos,mouse_event, 0_2_004F22DA
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Users\user\Desktop\rPO50018137-14_pdf.exe" Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004D0B62 GetSecurityDescriptorDacl,GetAclInformation,GetLengthSid,GetLengthSid,GetAce,AddAce,GetLengthSid,GetProcessHeap,HeapAlloc,GetLengthSid,CopySid,AddAce,SetSecurityDescriptorDacl,SetUserObjectSecurity,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree, 0_2_004D0B62
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004D1663 AllocateAndInitializeSid,CheckTokenMembership,FreeSid, 0_2_004D1663
Source: rPO50018137-14_pdf.exe Binary or memory string: Run Script:AutoIt script files (*.au3, *.a3x)*.au3;*.a3xAll files (*.*)*.*au3#include depth exceeded. Make sure there are no recursive includesError opening the file>>>AUTOIT SCRIPT<<<Bad directive syntax errorUnterminated stringCannot parse #includeUnterminated group of commentsONOFF0%d%dShell_TrayWndREMOVEKEYSEXISTSAPPENDblankinfoquestionstopwarning
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003465000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $eq><b>[ Program Manager]</b> (27/04/2024 08:39:36)<br>{Win}r{Win}THjq
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003465000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003465000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program ManagerLReq
Source: rPO50018137-14_pdf.exe Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003465000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $eq?<b>[ Program Manager]</b> (27/04/2024 08:39:36)<br>{Win}r{Win}rTHjq
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003465000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $eq8<b>[ Program Manager]</b> (27/04/2024 08:39:36)<br>{Win}THjq
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003465000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $eq9<b>[ Program Manager]</b> (27/04/2024 08:39:36)<br>{Win}rTHjq
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003471000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Time: 06/23/2024 11:56:08<br>User Name: user<br>Computer Name: 019635<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br><hr><b>[ Program Manager]</b> (27/04/2024 08:39:36)<br>{Win}r{Win}r
Source: RegSvcs.exe, 00000002.00000002.4516804311.0000000003465000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $eq3<b>[ Program Manager]</b> (27/04/2024 08:39:36)<br>
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_00490698 cpuid 0_2_00490698
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Code function: GetLocaleInfoA, 2_2_00417A20
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\ctsdvwT\ctsdvwT.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.EnterpriseServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004E8195 GetLocalTime,SystemTimeToFileTime,LocalFileTimeToFileTime,GetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW,SetCurrentDirectoryW, 0_2_004E8195
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004CD27A GetUserNameW, 0_2_004CD27A
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004AB952 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free, 0_2_004AB952
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004742DE GetVersionExW,GetCurrentProcess,IsWow64Process,LoadLibraryA,GetProcAddress,GetNativeSystemInfo,FreeLibrary,GetSystemInfo,GetSystemInfo, 0_2_004742DE
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: 2.2.RegSvcs.exe.4406458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4405570.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4453590.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850ee8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.303f236.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.304011e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4405570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.303f236.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 2.2.RegSvcs.exe.4406458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4405570.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4453590.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850ee8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.303f236.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.304011e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4405570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.303f236.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO50018137-14_pdf.exe.1810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2053515910.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4515158495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
OS version to string mapping found (often used in BOTs)
Source: rPO50018137-14_pdf.exe Binary or memory string: WIN_81
Source: rPO50018137-14_pdf.exe Binary or memory string: WIN_XP
Source: rPO50018137-14_pdf.exe Binary or memory string: %.3d%S%M%H%m%Y%jX86IA64X64WIN32_NTWIN_11WIN_10WIN_2022WIN_2019WIN_2016WIN_81WIN_2012R2WIN_2012WIN_8WIN_2008R2WIN_7WIN_2008WIN_VISTAWIN_2003WIN_XPeWIN_XPInstallLanguageSYSTEM\CurrentControlSet\Control\Nls\LanguageSchemeLangIDControl Panel\AppearanceUSERPROFILEUSERDOMAINUSERDNSDOMAINGetSystemWow64DirectoryWSeDebugPrivilege:winapistdcallubyte64HKEY_LOCAL_MACHINEHKLMHKEY_CLASSES_ROOTHKCRHKEY_CURRENT_CONFIGHKCCHKEY_CURRENT_USERHKCUHKEY_USERSHKUREG_EXPAND_SZREG_SZREG_MULTI_SZREG_DWORDREG_QWORDREG_BINARYRegDeleteKeyExWadvapi32.dll+.-.\\[\\nrt]|%%|%[-+ 0#]?([0-9]*|\*)?(\.[0-9]*|\.\*)?[hlL]?[diouxXeEfgGs](*UCP)\XISVISIBLEISENABLEDTABLEFTTABRIGHTCURRENTTABSHOWDROPDOWNHIDEDROPDOWNADDSTRINGDELSTRINGFINDSTRINGGETCOUNTSETCURRENTSELECTIONGETCURRENTSELECTIONSELECTSTRINGISCHECKEDCHECKUNCHECKGETSELECTEDGETLINECOUNTGETCURRENTLINEGETCURRENTCOLEDITPASTEGETLINESENDCOMMANDIDGETITEMCOUNTGETSUBITEMCOUNTGETTEXTGETSELECTEDCOUNTISSELECTEDSELECTALLSELECTCLEARSELECTINVERTDESELECTFINDITEMVIEWCHANGEGETTOTALCOUNTCOLLAPSEEXPANDmsctls_statusbar321tooltips_class32%d/%02d/%02dbuttonComboboxListboxSysDateTimePick32SysMonthCal32.icl.exe.dllMsctls_Progress32msctls_trackbar32SysAnimate32msctls_updown32SysTabControl32SysTreeView32SysListView32-----@GUI_DRAGID@GUI_DROPID@GUI_DRAGFILEError text not found (please report)Q\EDEFINEUTF16)UTF)UCP)NO_AUTO_POSSESS)NO_START_OPT)LIMIT_MATCH=LIMIT_RECURSION=CR)LF)CRLF)ANY)ANYCRLF)BSR_ANYCRLF)BSR_UNICODE)argument is not a compiled regular expressionargument not compiled in 16 bit modeinternal error: opcode not recognizedinternal error: missing capturing bracketfailed to get memory
Source: rPO50018137-14_pdf.exe Binary or memory string: WIN_XPe
Source: rPO50018137-14_pdf.exe Binary or memory string: WIN_VISTA
Source: rPO50018137-14_pdf.exe Binary or memory string: WIN_7
Source: rPO50018137-14_pdf.exe Binary or memory string: WIN_8
Yara detected Credential Stealer
Source: Yara match File source: 2.2.RegSvcs.exe.4406458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4405570.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4453590.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850ee8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.303f236.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.304011e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4405570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.303f236.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4516804311.0000000003401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: 2.2.RegSvcs.exe.4406458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4405570.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4453590.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850ee8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.303f236.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.304011e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4405570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.303f236.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegSvcs.exe PID: 5304, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 2.2.RegSvcs.exe.4406458.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850ee8.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4453590.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4405570.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4453590.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850000.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850ee8.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5910000.8.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.304011e.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5850000.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.303f236.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4406458.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.304011e.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.5910000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.4405570.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.303f236.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.4517671411.0000000005850000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4518195790.0000000005910000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4515895958.0000000002FFF000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4517446317.0000000004401000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected RedLine Stealer
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 2.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.rPO50018137-14_pdf.exe.1810000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2053515910.0000000001810000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.4515158495.0000000000400000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004F1204 socket,WSAGetLastError,bind,WSAGetLastError,closesocket,listen,WSAGetLastError,closesocket, 0_2_004F1204
Source: C:\Users\user\Desktop\rPO50018137-14_pdf.exe Code function: 0_2_004F1806 socket,WSAGetLastError,bind,WSAGetLastError,closesocket, 0_2_004F1806
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1432251 Sample: rPO50018137-14_pdf.exe Startdate: 26/04/2024 Architecture: WINDOWS Score: 100 25 mail.musabody.com 2->25 37 Found malware configuration 2->37 39 Malicious sample detected (through community Yara rule) 2->39 41 Multi AV Scanner detection for submitted file 2->41 43 9 other signatures 2->43 7 rPO50018137-14_pdf.exe 4 2->7         started        10 ctsdvwT.exe 2 2->10         started        12 ctsdvwT.exe 1 2->12         started        signatures3 process4 signatures5 45 Binary is likely a compiled AutoIt script file 7->45 47 Found API chain indicative of sandbox detection 7->47 49 Writes to foreign memory regions 7->49 51 Maps a DLL or memory area into another process 7->51 14 RegSvcs.exe 1 4 7->14         started        19 conhost.exe 10->19         started        21 conhost.exe 12->21         started        process6 dnsIp7 27 mail.musabody.com 108.167.140.123, 587 UNIFIEDLAYER-AS-1US United States 14->27 23 C:\Users\user\AppData\Roaming\...\ctsdvwT.exe, PE32 14->23 dropped 29 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 14->29 31 Tries to steal Mail credentials (via file / registry access) 14->31 33 Tries to harvest and steal browser information (history, passwords, etc) 14->33 35 2 other signatures 14->35 file8 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
108.167.140.123
 mail.musabody.com United States
46606 UNIFIEDLAYER-AS-1US true

Contacted Domains

Name IP Active
mail.musabody.com 108.167.140.123 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
mail.musabody.com true
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown