Loading ...

Play interactive tourEdit tour

Analysis Report 2020101408898,pdf.exe

Overview

General Information

Sample Name:2020101408898,pdf.exe
Analysis ID:298655
MD5:d631fc784a817b038050901c9210535e
SHA1:0592a92b11ebdbb0b24f093d69be88baf394aac4
SHA256:1c42bd094eeb6df10d17cb2fc16a7e167e38ee01d273f7c31ddf4775e015d59c
Tags:exeNanoCorenVpnRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to detect virtual machines (STR)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • 2020101408898,pdf.exe (PID: 6224 cmdline: 'C:\Users\user\Desktop\2020101408898,pdf.exe' MD5: D631FC784A817B038050901C9210535E)
    • schtasks.exe (PID: 6704 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qnkDCdcEdG' /XML 'C:\Users\user\AppData\Local\Temp\tmp3D90.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • MSBuild.exe (PID: 6648 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe MD5: 88BBB7610152B48C2B3879473B17857E)
      • schtasks.exe (PID: 6808 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp47E1.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • conhost.exe (PID: 7000 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • MSBuild.exe (PID: 7152 cmdline: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0 MD5: 88BBB7610152B48C2B3879473B17857E)
    • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.932708380.0000000005CF0000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xf7ad:$x1: NanoCore.ClientPluginHost
  • 0xf7da:$x2: IClientNetworkHost
00000005.00000002.932708380.0000000005CF0000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
  • 0xf7ad:$x2: NanoCore.ClientPluginHost
  • 0x10888:$s4: PipeCreated
  • 0xf7c7:$s5: IClientLoggingHost
00000005.00000002.932708380.0000000005CF0000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000005.00000002.927760479.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xff8d:$x1: NanoCore.ClientPluginHost
    • 0xffca:$x2: IClientNetworkHost
    • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000005.00000002.927760479.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 14 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      5.2.MSBuild.exe.5510000.2.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      5.2.MSBuild.exe.5510000.2.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      5.2.MSBuild.exe.5cf0000.4.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      5.2.MSBuild.exe.5cf0000.4.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      5.2.MSBuild.exe.5cf0000.4.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe, ProcessId: 6648, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qnkDCdcEdG' /XML 'C:\Users\user\AppData\Local\Temp\tmp3D90.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qnkDCdcEdG' /XML 'C:\Users\user\AppData\Local\Temp\tmp3D90.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\2020101408898,pdf.exe' , ParentImage: C:\Users\user\Desktop\2020101408898,pdf.exe, ParentProcessId: 6224, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qnkDCdcEdG' /XML 'C:\Users\user\AppData\Local\Temp\tmp3D90.tmp', ProcessId: 6704

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Antivirus / Scanner detection for submitted sampleShow sources
        Source: 2020101408898,pdf.exeAvira: detected
        Antivirus detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\qnkDCdcEdG.exeAvira: detection malicious, Label: TR/AD.Nanocore.pqfbb
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\qnkDCdcEdG.exeReversingLabs: Detection: 22%
        Multi AV Scanner detection for submitted fileShow sources
        Source: 2020101408898,pdf.exeReversingLabs: Detection: 22%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.932708380.0000000005CF0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.927760479.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.931491212.0000000004187000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.666963588.0000000004431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6648, type: MEMORY
        Source: Yara matchFile source: 5.2.MSBuild.exe.5cf0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.MSBuild.exe.5cf0000.4.raw.unpack, type: UNPACKEDPE
        Machine Learning detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\qnkDCdcEdG.exeJoe Sandbox ML: detected
        Machine Learning detection for sampleShow sources
        Source: 2020101408898,pdf.exeJoe Sandbox ML: detected
        Source: 5.2.MSBuild.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_05B72E80
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_05B72E77
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 4x nop then jmp 05B72644h0_2_05B71A6F

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: billionaire.ddns.net
        Source: global trafficTCP traffic: 192.168.2.4:49746 -> 185.165.153.245:3734
        Source: Joe Sandbox ViewASN Name: DAVID_CRAIGGG DAVID_CRAIGGG
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownTCP traffic detected without corresponding DNS query: 104.102.29.249
        Source: unknownDNS traffic detected: queries for: billionaire.ddns.net
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49689
        Source: unknownNetwork traffic detected: HTTP traffic on port 49710 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49688
        Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49683
        Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49701 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49697
        Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49696
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49695
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49694
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49693
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49692
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
        Source: unknownNetwork traffic detected: HTTP traffic on port 49724 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49683 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
        Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
        Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49701
        Source: 2020101408898,pdf.exe, 00000000.00000002.665939257.000000000145A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
        Source: MSBuild.exe, 00000005.00000002.932708380.0000000005CF0000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000005.00000002.932708380.0000000005CF0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.927760479.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000005.00000002.931491212.0000000004187000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.666963588.0000000004431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: MSBuild.exe PID: 6648, type: MEMORY
        Source: Yara matchFile source: 5.2.MSBuild.exe.5cf0000.4.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 5.2.MSBuild.exe.5cf0000.4.raw.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000005.00000002.932708380.0000000005CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.927760479.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.927760479.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000005.00000002.932363196.0000000005510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000005.00000002.931491212.0000000004187000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.666963588.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.666963588.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: MSBuild.exe PID: 6648, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: MSBuild.exe PID: 6648, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.MSBuild.exe.5510000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.MSBuild.exe.5cf0000.4.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 5.2.MSBuild.exe.5cf0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_05B80FCE NtQuerySystemInformation,0_2_05B80FCE
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_05B80F9D NtQuerySystemInformation,0_2_05B80F9D
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_0548148A NtQuerySystemInformation,5_2_0548148A
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_0548144F NtQuerySystemInformation,5_2_0548144F
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_055511D80_2_055511D8
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_05550C080_2_05550C08
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_055522BE0_2_055522BE
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_055535500_2_05553550
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_055535400_2_05553540
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_05554D7D0_2_05554D7D
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_05550C040_2_05550C04
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_0555EF180_2_0555EF18
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_055537980_2_05553798
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_055537A00_2_055537A0
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_05559EFE0_2_05559EFE
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_055592EF0_2_055592EF
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_01367AC15_2_01367AC1
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_053585985_2_05358598
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_053591985_2_05359198
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_0535ADF85_2_0535ADF8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_053538505_2_05353850
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_053523A05_2_053523A0
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_05352FA85_2_05352FA8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_0535306F5_2_0535306F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_0535238F5_2_0535238F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_0535925F5_2_0535925F
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 8_2_04E81DF88_2_04E81DF8
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 8_2_04E807088_2_04E80708
        Source: 2020101408898,pdf.exe, 00000000.00000002.665939257.000000000145A000.00000004.00000020.sdmpBinary or memory string: OriginalFilenamemscorwks.dllT vs 2020101408898,pdf.exe
        Source: 2020101408898,pdf.exe, 00000000.00000002.667647530.00000000055E0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs 2020101408898,pdf.exe
        Source: 2020101408898,pdf.exe, 00000000.00000002.669525384.00000000065B0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs 2020101408898,pdf.exe
        Source: 2020101408898,pdf.exe, 00000000.00000002.669525384.00000000065B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs 2020101408898,pdf.exe
        Source: 2020101408898,pdf.exe, 00000000.00000002.667231276.00000000045EC000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs 2020101408898,pdf.exe
        Source: 2020101408898,pdf.exe, 00000000.00000002.667755095.0000000005640000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameexag vs 2020101408898,pdf.exe
        Source: 2020101408898,pdf.exe, 00000000.00000002.669020899.00000000064B0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs 2020101408898,pdf.exe
        Source: 2020101408898,pdf.exeBinary or memory string: OriginalFilenameaJDd.exeX vs 2020101408898,pdf.exe
        Source: 00000005.00000002.932708380.0000000005CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.932708380.0000000005CF0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000005.00000002.927760479.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.927760479.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000005.00000002.932363196.0000000005510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000005.00000002.932363196.0000000005510000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000005.00000002.931491212.0000000004187000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.666963588.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.666963588.0000000004431000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: MSBuild.exe PID: 6648, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: MSBuild.exe PID: 6648, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.MSBuild.exe.5510000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.MSBuild.exe.5510000.2.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.MSBuild.exe.5cf0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.MSBuild.exe.5cf0000.4.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 5.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 5.2.MSBuild.exe.5cf0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 5.2.MSBuild.exe.5cf0000.4.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 2020101408898,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: qnkDCdcEdG.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: MSBuild.exe, 00000008.00000002.673058964.0000000002D81000.00000004.00000001.sdmpBinary or memory string: *.sln
        Source: classification engineClassification label: mal100.troj.evad.winEXE@11/9@22/1
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_05B80E52 AdjustTokenPrivileges,0_2_05B80E52
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_05B80E1B AdjustTokenPrivileges,0_2_05B80E1B
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_0548124A AdjustTokenPrivileges,5_2_0548124A
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_05481213 AdjustTokenPrivileges,5_2_05481213
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeFile created: C:\Users\user\AppData\Roaming\qnkDCdcEdG.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{20d8de57-81d3-46f5-82d3-182b167de96f}
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7000:120:WilError_01
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_01
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeMutant created: \Sessions\1\BaseNamedObjects\PcVmhnjIIToiCrnGty
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6680:120:WilError_01
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3D90.tmpJump to behavior
        Source: 2020101408898,pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: 2020101408898,pdf.exeReversingLabs: Detection: 22%
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeFile read: C:\Users\user\Desktop\2020101408898,pdf.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\2020101408898,pdf.exe 'C:\Users\user\Desktop\2020101408898,pdf.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qnkDCdcEdG' /XML 'C:\Users\user\AppData\Local\Temp\tmp3D90.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp47E1.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe 0
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qnkDCdcEdG' /XML 'C:\Users\user\AppData\Local\Temp\tmp3D90.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp47E1.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: 2020101408898,pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: 2020101408898,pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: indows\MSBuild.pdbpdbild.pdbs source: MSBuild.exe, 00000005.00000002.928770662.0000000002DF5000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\MSBuild.pdbd source: MSBuild.exe, 00000005.00000002.928770662.0000000002DF5000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.pdb source: MSBuild.exe, 00000005.00000002.928770662.0000000002DF5000.00000004.00000040.sdmp
        Source: Binary string: C:\Windows\exe\MSBuild.pdb source: MSBuild.exe, 00000005.00000002.928770662.0000000002DF5000.00000004.00000040.sdmp
        Source: Binary string: f:\dd\vsproject\xmake\XMakeCommandLine\objr\i386\MSBuild.pdb source: MSBuild.exe, 00000005.00000002.928770662.0000000002DF5000.00000004.00000040.sdmp
        Source: Binary string: mscorrc.pdb source: 2020101408898,pdf.exe, 00000000.00000002.667647530.00000000055E0000.00000002.00000001.sdmp, MSBuild.exe, 00000005.00000002.932511456.00000000058F0000.00000002.00000001.sdmp
        Source: Binary string: C:\Windows\symbols\exe\MSBuild.pdb source: MSBuild.exe, 00000005.00000002.928770662.0000000002DF5000.00000004.00000040.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: 2020101408898,pdf.exe, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: qnkDCdcEdG.exe.0.dr, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.2020101408898,pdf.exe.d30000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.2020101408898,pdf.exe.d30000.0.unpack, FastResourceComparer.cs.Net Code: Object System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_05552763 push dword ptr [ebp+eax-18h]; iretd 0_2_05552767
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_013674B8 push ebp; ret 5_2_013674B9
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_013674AC push ecx; ret 5_2_013674AD
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_01369D54 push eax; retf 5_2_01369D55
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_01369D58 pushad ; retf 5_2_01369D59
        Source: initial sampleStatic PE information: section name: .text entropy: 7.85343273252
        Source: initial sampleStatic PE information: section name: .text entropy: 7.85343273252
        Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: 5.2.MSBuild.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeFile created: C:\Users\user\AppData\Roaming\qnkDCdcEdG.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\qnkDCdcEdG' /XML 'C:\Users\user\AppData\Local\Temp\tmp3D90.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000000.00000002.666662469.0000000003431000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.666743326.00000000034B8000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: 2020101408898,pdf.exe PID: 6224, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: 2020101408898,pdf.exe, 00000000.00000002.666662469.0000000003431000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: 2020101408898,pdf.exe, 00000000.00000002.666662469.0000000003431000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeCode function: 0_2_01688E8E str word ptr [ecx]0_2_01688E8E
        Source: C:\Users\user\Desktop\2020101408898,pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 748Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 631Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: threadDelayed 366Jump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeWindow / User API: foregroundWindowGot 847Jump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exe TID: 6216Thread sleep time: -52368s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\2020101408898,pdf.exe TID: 1088Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 7116Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe TID: 6848Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exeCode function: 5_2_054826DE GetSystemInfo,5_2_054826DE
        Source: 2020101408898,pdf.exe, 00000000.00000002.666662469.0000000003431000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: MSBuild.exe, 00000005.00000002.933019102.00000000066F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: 2020101408898,pdf.exe, 00000000.00000002.666662469.0000000003431000.00000004.00000001.sdmpBinary or memory string: vmware
        Source: 2020101408898,pdf.exe, 00000000.00000002.666662469.0000000003431000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
        Source: MSBuild.exe, 00000005.00000002.933019102.00000000066F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.