Loading ...

Play interactive tourEdit tour

Analysis Report Ref 0180066743.PDF.bat

Overview

General Information

Sample Name:Ref 0180066743.PDF.bat (renamed file extension from bat to exe)
Analysis ID:255471
MD5:b8f7976a9643bc6b2ec50cadc3b3b7a2
SHA1:0e4506900b62431bd0ee840ef956270416394a0b
SHA256:86de94484346c6fefa6b2baa70af6e34cc91d845bd995640face3b580db9b07d

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Suspicious Double Extension
Yara detected AgentTesla
Yara detected AntiVM_3
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for sample
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Enables debug privileges
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Startup

  • System is w10x64
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "cCbuEO", "URL: ": "http://uc83IUNpl1hxfE.com", "To: ": "droidx@emifarma.com", "ByHost: ": "mail.emifarma.com:587", "Password: ": "cbbhj3j", "From: ": "droidx@emifarma.com"}

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
Ref 0180066743.PDF.exeSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x7653e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.231304970.00000000001D2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x7633e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000002.232819226.0000000000532000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x7633e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000001.00000000.230999597.00000000001D2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x7633e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000002.00000002.484660334.0000000000FC2000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x7633e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
00000000.00000000.215856686.0000000000532000.00000002.00020000.sdmpSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x7633e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
Click to see the 12 entries

Unpacked PEs

SourceRuleDescriptionAuthorStrings
1.0.Ref 0180066743.PDF.exe.1d0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
  • 0x7653e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
2.2.Ref 0180066743.PDF.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    1.2.Ref 0180066743.PDF.exe.1d0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x7653e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    2.0.Ref 0180066743.PDF.exe.fc0000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x7653e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    0.2.Ref 0180066743.PDF.exe.530000.0.unpackSUSP_Reversed_Base64_Encoded_EXEDetects an base64 encoded executable with reversed charactersFlorian Roth
    • 0x7653e:$sh3: uUGZv1GIT9ERg4Wag4WdyBSZiBCdv5mbhNGItFmcn9mcwBycphGV
    Click to see the 2 entries

    Sigma Overview

    System Summary:

    barindex
    Sigma detected: Suspicious Double ExtensionShow sources
    Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Ref 0180066743.PDF.exe, NewProcessName: C:\Users\user\Desktop\Ref 0180066743.PDF.exe, OriginalFileName: C:\Users\user\Desktop\Ref 0180066743.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\Ref 0180066743.PDF.exe' , ParentImage: C:\Users\user\Desktop\Ref 0180066743.PDF.exe, ParentProcessId: 5052, ProcessCommandLine: {path}, ProcessId: 6072

    Signature Overview

    Click to jump to signature section

    Show All Signature Results

    AV Detection:

    barindex
    Found malware configurationShow sources
    Source: Ref 0180066743.PDF.exe.6056.2.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "cCbuEO", "URL: ": "http://uc83IUNpl1hxfE.com", "To: ": "droidx@emifarma.com", "ByHost: ": "mail.emifarma.com:587", "Password: ": "cbbhj3j", "From: ": "droidx@emifarma.com"}
    Machine Learning detection for sampleShow sources
    Source: Ref 0180066743.PDF.exeJoe Sandbox ML: detected
    Source: global trafficTCP traffic: 192.168.2.4:49699 -> 162.241.60.204:587
    Source: global trafficTCP traffic: 192.168.2.4:49699 -> 162.241.60.204:587
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_01A9A09A recv,2_2_01A9A09A
    Source: unknownDNS traffic detected: queries for: mail.emifarma.com
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.489945771.0000000003966000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.491683157.0000000006870000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.489945771.0000000003966000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.489945771.0000000003966000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/cPanelIncCertificationAuthority.crl0
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmp, Ref 0180066743.PDF.exe, 00000000.00000003.217242168.0000000004FEE000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.com
    Source: Ref 0180066743.PDF.exe, 00000000.00000003.217276000.0000000004FEE000.00000004.00000001.sdmpString found in binary or memory: http://fontfabrik.como
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.489945771.0000000003966000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.488870519.0000000003818000.00000004.00000001.sdmp, Ref 0180066743.PDF.exe, 00000002.00000002.489807403.0000000003932000.00000004.00000001.sdmp, Ref 0180066743.PDF.exe, 00000002.00000002.489996612.000000000397E000.00000004.00000001.sdmp, Ref 0180066743.PDF.exe, 00000002.00000002.489945771.0000000003966000.00000004.00000001.sdmpString found in binary or memory: http://uc83IUNpl1hxfE.com
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmp, Ref 0180066743.PDF.exe, 00000000.00000002.234202096.0000000000FA7000.00000004.00000040.sdmpString found in binary or memory: http://www.fontbureau.com/designers
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
    Source: Ref 0180066743.PDF.exe, 00000000.00000003.220793668.0000000004FC1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.html
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmp, Ref 0180066743.PDF.exe, 00000000.00000003.220700799.0000000004FC1000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
    Source: Ref 0180066743.PDF.exe, 00000000.00000003.232533615.0000000004FB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.com2
    Source: Ref 0180066743.PDF.exe, 00000000.00000003.232533615.0000000004FB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comaK
    Source: Ref 0180066743.PDF.exe, 00000000.00000003.232533615.0000000004FB0000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.comgrita
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmp, Ref 0180066743.PDF.exe, 00000000.00000003.217068125.0000000004FEE000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.com
    Source: Ref 0180066743.PDF.exe, 00000000.00000003.217068125.0000000004FEE000.00000004.00000001.sdmpString found in binary or memory: http://www.fonts.comnt
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
    Source: Ref 0180066743.PDF.exe, 00000000.00000003.220569741.0000000004FC1000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cna
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
    Source: Ref 0180066743.PDF.exe, 00000000.00000003.222312136.0000000004FDA000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.
    Source: Ref 0180066743.PDF.exe, 00000000.00000003.222199343.0000000004FDA000.00000004.00000001.sdmpString found in binary or memory: http://www.monotype.0
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
    Source: Ref 0180066743.PDF.exe, 00000000.00000003.216771628.0000000004FCB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com%
    Source: Ref 0180066743.PDF.exe, 00000000.00000003.216771628.0000000004FCB000.00000004.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.comiv
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.238330828.00000000050A0000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.489945771.0000000003966000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0

    System Summary:

    barindex
    Initial sample is a PE file and has a suspicious nameShow sources
    Source: initial sampleStatic PE information: Filename: Ref 0180066743.PDF.exe
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_06160F02 NtQuerySystemInformation,0_2_06160F02
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_06160EC7 NtQuerySystemInformation,0_2_06160EC7
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_01A9B362 NtQuerySystemInformation,2_2_01A9B362
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_01A9B331 NtQuerySystemInformation,2_2_01A9B331
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04BD0C780_2_04BD0C78
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04BD0EB80_2_04BD0EB8
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04BD24D80_2_04BD24D8
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04BD0EC80_2_04BD0EC8
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04BD09780_2_04BD0978
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04BD09680_2_04BD0968
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04BD0C680_2_04BD0C68
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D460F00_2_04D460F0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D4E4400_2_04D4E440
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D4CC080_2_04D4CC08
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D469F00_2_04D469F0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D459A00_2_04D459A0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D43D500_2_04D43D50
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D477F00_2_04D477F0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D4DF700_2_04D4DF70
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D4F3180_2_04D4F318
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D49B300_2_04D49B30
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D4A4D00_2_04D4A4D0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D460EE0_2_04D460EE
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D47C400_2_04D47C40
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D4D4300_2_04D4D430
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D47C310_2_04D47C31
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D469EE0_2_04D469EE
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D495900_2_04D49590
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D499800_2_04D49980
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D495830_2_04D49583
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D485500_2_04D48550
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D4A5580_2_04D4A558
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D465400_2_04D46540
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D43D430_2_04D43D43
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D499730_2_04D49973
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D485600_2_04D48560
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D465310_2_04D46531
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D4592D0_2_04D4592D
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D4CE900_2_04D4CE90
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D492880_2_04D49288
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D44EA80_2_04D44EA8
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D44E570_2_04D44E57
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D4927B0_2_04D4927B
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D48FD80_2_04D48FD8
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D477EE0_2_04D477EE
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D48FE80_2_04D48FE8
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D497500_2_04D49750
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D4F7700_2_04D4F770
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D497600_2_04D49760
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D4773E0_2_04D4773E
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_04D49B200_2_04D49B20
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_01A924772_2_01A92477
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_059CE8502_2_059CE850
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_059CD1D02_2_059CD1D0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_059C00062_2_059C0006
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_059CDD082_2_059CDD08
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_059CE8402_2_059CE840
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_059CD1C22_2_059CD1C2
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_059CDD792_2_059CDD79
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_059CD9302_2_059CD930
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_063738A82_2_063738A8
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06374D002_2_06374D00
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_063707F02_2_063707F0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06374FE82_2_06374FE8
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0637240E2_2_0637240E
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_063738992_2_06373899
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06374CF02_2_06374CF0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06371EE02_2_06371EE0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06372F302_2_06372F30
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_063735272_2_06373527
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06372B102_2_06372B10
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_063713BD2_2_063713BD
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06370D902_2_06370D90
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_063707E02_2_063707E0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_063703DF2_2_063703DF
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064400702_2_06440070
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644D4102_2_0644D410
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06448ECF2_2_06448ECF
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644EAC82_2_0644EAC8
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064494802_2_06449480
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064482882_2_06448288
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644C5412_2_0644C541
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644F9592_2_0644F959
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064451662_2_06445166
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644E7102_2_0644E710
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644F3322_2_0644F332
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064441E02_2_064441E0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644ED802_2_0644ED80
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644C9822_2_0644C982
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06446B982_2_06446B98
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06449FA72_2_06449FA7
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064400702_2_06440070
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064428492_2_06442849
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06442C4B2_2_06442C4B
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06442A532_2_06442A53
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644185F2_2_0644185F
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06449A002_2_06449A00
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644E0102_2_0644E010
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064414CF2_2_064414CF
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064422D92_2_064422D9
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06442AEF2_2_06442AEF
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064428F72_2_064428F7
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06447C822_2_06447C82
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064428A02_2_064428A0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644E0A02_2_0644E0A0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644EAB82_2_0644EAB8
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06447F452_2_06447F45
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06442B462_2_06442B46
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644294E2_2_0644294E
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644D5572_2_0644D557
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644217D2_2_0644217D
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064419042_2_06441904
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064427382_2_06442738
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064499E02_2_064499E0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06442BF42_2_06442BF4
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064427F22_2_064427F2
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064429FC2_2_064429FC
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644D9822_2_0644D982
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644278F2_2_0644278F
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06442B9D2_2_06442B9D
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064429A52_2_064429A5
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0644D7AD2_2_0644D7AD
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_064489A82_2_064489A8
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.234916135.0000000002B91000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSparta.dll. vs Ref 0180066743.PDF.exe
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.232913712.00000000005AA000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameqmuyy.exe2 vs Ref 0180066743.PDF.exe
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.241532618.0000000008520000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLoreal.exe4 vs Ref 0180066743.PDF.exe
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.235000408.0000000002BEC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameaWtSsebFKIHqTdICMcrAmkmwDJkBctWuuooJ.exe4 vs Ref 0180066743.PDF.exe
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.241130751.0000000008310000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Ref 0180066743.PDF.exe
    Source: Ref 0180066743.PDF.exe, 00000001.00000002.231356927.000000000024A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameqmuyy.exe2 vs Ref 0180066743.PDF.exe
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.490781305.0000000005E20000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewbemdisp.tlbj% vs Ref 0180066743.PDF.exe
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.484879530.000000000103A000.00000002.00020000.sdmpBinary or memory string: OriginalFilenameqmuyy.exe2 vs Ref 0180066743.PDF.exe
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.491507900.0000000006450000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs Ref 0180066743.PDF.exe
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.490809887.0000000005E30000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs Ref 0180066743.PDF.exe
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.491413563.00000000063D0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx vs Ref 0180066743.PDF.exe
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.484512623.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenameaWtSsebFKIHqTdICMcrAmkmwDJkBctWuuooJ.exe4 vs Ref 0180066743.PDF.exe
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.491432932.00000000063E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs Ref 0180066743.PDF.exe
    Source: Ref 0180066743.PDF.exeBinary or memory string: OriginalFilenameqmuyy.exe2 vs Ref 0180066743.PDF.exe
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeSection loaded: security.dllJump to behavior
    Source: Ref 0180066743.PDF.exe, type: SAMPLEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000001.00000002.231304970.00000000001D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000000.00000002.232819226.0000000000532000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000001.00000000.230999597.00000000001D2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000002.00000002.484660334.0000000000FC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000000.00000000.215856686.0000000000532000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 00000002.00000000.231934239.0000000000FC2000.00000002.00020000.sdmp, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: Ref 0180066743.PDF.exe PID: 5052, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: Ref 0180066743.PDF.exe PID: 6056, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Process Memory Space: Ref 0180066743.PDF.exe PID: 6072, type: MEMORYMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 1.0.Ref 0180066743.PDF.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 1.2.Ref 0180066743.PDF.exe.1d0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 2.0.Ref 0180066743.PDF.exe.fc0000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0.2.Ref 0180066743.PDF.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 2.2.Ref 0180066743.PDF.exe.fc0000.1.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: 0.0.Ref 0180066743.PDF.exe.530000.0.unpack, type: UNPACKEDPEMatched rule: SUSP_Reversed_Base64_Encoded_EXE date = 2020-04-06, hash1 = 7e6d9a5d3b26fd1af7d58be68f524c4c55285b78304a65ec43073b139c9407a8, author = Florian Roth, description = Detects an base64 encoded executable with reversed characters, reference = Internal Research, score = file
    Source: Ref 0180066743.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: 2.2.Ref 0180066743.PDF.exe.400000.0.unpack, wro.csCryptographic APIs: 'TransformFinalBlock'
    Source: 2.2.Ref 0180066743.PDF.exe.400000.0.unpack, wro.csCryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@5/1@1/1
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_061609FA AdjustTokenPrivileges,0_2_061609FA
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_061609C3 AdjustTokenPrivileges,0_2_061609C3
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_01A9B1E6 AdjustTokenPrivileges,2_2_01A9B1E6
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_01A9B1AF AdjustTokenPrivileges,2_2_01A9B1AF
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\Ref 0180066743.PDF.exe.logJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
    Source: Ref 0180066743.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
    Source: unknownProcess created: C:\Users\user\Desktop\Ref 0180066743.PDF.exe 'C:\Users\user\Desktop\Ref 0180066743.PDF.exe'
    Source: unknownProcess created: C:\Users\user\Desktop\Ref 0180066743.PDF.exe {path}
    Source: unknownProcess created: C:\Users\user\Desktop\Ref 0180066743.PDF.exe {path}
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess created: C:\Users\user\Desktop\Ref 0180066743.PDF.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess created: C:\Users\user\Desktop\Ref 0180066743.PDF.exe {path}Jump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
    Source: Ref 0180066743.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
    Source: Ref 0180066743.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
    Source: Binary string: mscorrc.pdb source: Ref 0180066743.PDF.exe, 00000000.00000002.241130751.0000000008310000.00000002.00000001.sdmp, Ref 0180066743.PDF.exe, 00000002.00000002.491507900.0000000006450000.00000002.00000001.sdmp
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_00F80F0C push 24011859h; iretd 0_2_00F80F15
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 0_2_00F80F84 push 27001959h; iretd 0_2_00F80F95
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0637549C push FFFFFF8Bh; retf 2_2_063754A3
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_0637128E push es; iretd 2_2_06371294
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06372971 push es; ret 2_2_06372984
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_06371396 push ebx; iretd 2_2_06371397
    Source: initial sampleStatic PE information: section name: .text entropy: 7.92840494608

    Hooking and other Techniques for Hiding and Protection:

    barindex
    Uses an obfuscated file name to hide its real file extension (double extension)Show sources
    Source: Possible double extension: pdf.exeStatic PE information: Ref 0180066743.PDF.exe
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

    Malware Analysis System Evasion:

    barindex
    Yara detected AntiVM_3Show sources
    Source: Yara matchFile source: Process Memory Space: Ref 0180066743.PDF.exe PID: 5052, type: MEMORY
    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
    Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.234916135.0000000002B91000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.234916135.0000000002B91000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeThread delayed: delay time: 922337203685477Jump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 2116Thread sleep time: -41000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 5044Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4808Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -922337203685477s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -88641s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -58906s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -58720s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -58220s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -87000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -57812s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -86391s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -56906s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -56720s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -56500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -55812s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -111188s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -55220s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -55000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -54720s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -109000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -54312s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -54094s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -53406s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -53220s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -79500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -52594s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -52312s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -78141s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -51720s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -51500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -76500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -50812s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -75891s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -49720s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -74250s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -49094s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -48812s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -97188s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -48406s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -48220s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -47720s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -95000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -70923s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -47094s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -46220s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -46000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -45720s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -68250s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -45312s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -67641s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -44906s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -44720s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -44406s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -44220s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -44000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -65391s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -43312s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -64641s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -42906s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -42720s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -63750s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -42220s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -63000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -41220s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -40906s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -40720s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -81000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -40312s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -60141s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -59391s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -39406s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -57750s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -38312s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -76188s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -37220s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -34312s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -51141s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -49500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -31906s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -31720s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -30812s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -45891s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -39000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -35391s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -57094s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -56000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -53594s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -52500s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -46594s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -62391s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -37000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -36094s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -35000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -31094s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -30000s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -57782s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -56908s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -56688s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -53408s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -51908s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -50782s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -49908s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -49688s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -48408s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -46408s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -46188s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -42688s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -41408s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -40282s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -39408s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exe TID: 4520Thread sleep time: -39188s >= -30000sJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeLast function: Thread delayed
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.490809887.0000000005E30000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.234916135.0000000002B91000.00000004.00000001.sdmpBinary or memory string: vmware
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.234916135.0000000002B91000.00000004.00000001.sdmpBinary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.234916135.0000000002B91000.00000004.00000001.sdmpBinary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.234916135.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMWARE
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.234916135.0000000002B91000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.490809887.0000000005E30000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.490809887.0000000005E30000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.234916135.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.234916135.0000000002B91000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
    Source: Ref 0180066743.PDF.exe, 00000000.00000002.234916135.0000000002B91000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
    Source: Ref 0180066743.PDF.exe, 00000002.00000002.490809887.0000000005E30000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess information queried: ProcessInformationJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess queried: DebugPortJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeCode function: 2_2_063703F0 LdrInitializeThunk,2_2_063703F0
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeProcess token adjusted: DebugJump to behavior
    Source: C:\Users\user\Desktop\Ref 0180066743.PDF.exeMemory allocated: page read and write | page guardJump to behavior

    HIPS / PFW / Operating System Protection Evasion: