Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report QRN-CLJC-06112020149.PDF.exe

Overview

General Information

Sample Name:QRN-CLJC-06112020149.PDF.exe
Analysis ID:321395
MD5:cdefe555b30aa451be1c4b519ccaa9a3
SHA1:dde5a61b58ce44a985ee7ca8d4a789140063616c
SHA256:67bff3c99f10c2b189df24202f66a3901d355847afee7de4f66c78aff794c923
Tags:AgentTeslaexe

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension
Yara detected AgentTesla
Yara detected AntiVM_3
.NET source code contains very large array initializations
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses SMTP (mail sending)
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Startup

  • System is w10x64
  • QRN-CLJC-06112020149.PDF.exe (PID: 6128 cmdline: 'C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe' MD5: CDEFE555B30AA451BE1C4B519CCAA9A3)
    • schtasks.exe (PID: 5500 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XwhZikir' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5B4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 4480 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Username: ": "AmBIZ", "URL: ": "http://z61os6wyor.com", "To: ": "", "ByHost: ": "mail.privateemail.com:587", "Password: ": "Tp7L2", "From: ": ""}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.504281771.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        00000000.00000002.248253061.00000000034D1000.00000004.00000001.sdmpJoeSecurity_AntiVM_3Yara detected AntiVM_3Joe Security
          00000000.00000002.248835494.00000000044D4000.00000004.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 5 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            3.2.QRN-CLJC-06112020149.PDF.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Scheduled temp file as task from temp locationShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XwhZikir' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5B4.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XwhZikir' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5B4.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe' , ParentImage: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe, ParentProcessId: 6128, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XwhZikir' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5B4.tmp', ProcessId: 5500
              Sigma detected: Suspicious Double ExtensionShow sources
              Source: Process startedAuthor: Florian Roth (rule), @blu3_team (idea): Data: Command: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe, CommandLine: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe, NewProcessName: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe, OriginalFileName: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe, ParentCommandLine: 'C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe' , ParentImage: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe, ParentProcessId: 6128, ProcessCommandLine: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe, ProcessId: 4664

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: QRN-CLJC-06112020149.PDF.exe.4664.3.memstrMalware Configuration Extractor: Agenttesla {"Username: ": "AmBIZ", "URL: ": "http://z61os6wyor.com", "To: ": "", "ByHost: ": "mail.privateemail.com:587", "Password: ": "Tp7L2", "From: ": ""}
              Multi AV Scanner detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\XwhZikir.exeReversingLabs: Detection: 33%
              Multi AV Scanner detection for submitted fileShow sources
              Source: QRN-CLJC-06112020149.PDF.exeVirustotal: Detection: 52%Perma Link
              Source: QRN-CLJC-06112020149.PDF.exeReversingLabs: Detection: 33%
              Machine Learning detection for dropped fileShow sources
              Source: C:\Users\user\AppData\Roaming\XwhZikir.exeJoe Sandbox ML: detected
              Machine Learning detection for sampleShow sources
              Source: QRN-CLJC-06112020149.PDF.exeJoe Sandbox ML: detected
              Source: 3.2.QRN-CLJC-06112020149.PDF.exe.400000.0.unpackAvira: Label: TR/Spy.Gen8
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 4x nop then jmp 05C390A6h
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h

              Networking:

              barindex
              May check the online IP address of the machineShow sources
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: unknownDNS query: name: api.ipify.org
              Source: global trafficTCP traffic: 192.168.2.7:49748 -> 198.54.122.60:587
              Source: Joe Sandbox ViewIP Address: 54.243.161.145 54.243.161.145
              Source: Joe Sandbox ViewIP Address: 54.243.161.145 54.243.161.145
              Source: Joe Sandbox ViewIP Address: 198.54.122.60 198.54.122.60
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: global trafficTCP traffic: 192.168.2.7:49748 -> 198.54.122.60:587
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_0269A09A recv,
              Source: unknownDNS traffic detected: queries for: g.msn.com
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://127.0.0.1:HTTP/1.1
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://DynDns.comDynDNS
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.509398240.00000000031E6000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.512477564.0000000005F30000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.512477564.0000000005F30000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl0
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.512543715.0000000005F63000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationS
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.509729422.0000000003211000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: http://gWhdeq.com
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.512543715.0000000005F63000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.com1
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmp, QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.509398240.00000000031E6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.509729422.0000000003211000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.509398240.00000000031E6000.00000004.00000001.sdmp, QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.509511016.00000000031F4000.00000004.00000001.sdmpString found in binary or memory: http://z61os6wyor.com
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.org/(
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: https://api.ipify.orgGETMozilla/5.0
              Source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.248835494.00000000044D4000.00000004.00000001.sdmp, QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.504281771.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------x
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.509729422.0000000003211000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
              Source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.248835494.00000000044D4000.00000004.00000001.sdmp, QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.504281771.0000000000402000.00000040.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
              Source: unknownNetwork traffic detected: HTTP traffic on port 49747 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49747

              System Summary:

              barindex
              .NET source code contains very large array initializationsShow sources
              Source: 3.2.QRN-CLJC-06112020149.PDF.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b161D827Cu002dEE49u002d4B0Eu002d833Fu002dF512BCC8F74Cu007d/u00334888689u002d8818u002d434Eu002dB30Fu002dF3A6EF143ED7.csLarge array initialization: .cctor: array initializer size 11992
              Initial sample is a PE file and has a suspicious nameShow sources
              Source: initial sampleStatic PE information: Filename: QRN-CLJC-06112020149.PDF.exe
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05BB11CE NtQuerySystemInformation,
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05BB119D NtQuerySystemInformation,
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_0269B0BA NtQuerySystemInformation,
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_0269B089 NtQuerySystemInformation,
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_00D46CC1
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D0A3F
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D0AC8
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D2198
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D26E4
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D1C09
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D1CF0
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D7300
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D2131
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D2189
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D9457
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030DA77E
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D3770
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D37D8
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D37E8
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030DE6B0
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D9457
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_030D1CE0
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05C35150
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05C35160
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05C30047
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05C30070
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05C307E7
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05C30070
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_00D42050
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_00696CC1
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_02BD71A0
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_02BDC938
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_063A7078
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_063AA0B8
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_063A58AC
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_063A28F8
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_063A74C8
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_063AEB30
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_063AE560
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_063A3B40
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_063A9ED8
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_063D5330
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_063D65FB
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_00692050
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_063D14E0
              Source: QRN-CLJC-06112020149.PDF.exeBinary or memory string: OriginalFilename vs QRN-CLJC-06112020149.PDF.exe
              Source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.249206382.000000000469B000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameKedermister.dllT vs QRN-CLJC-06112020149.PDF.exe
              Source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.252133026.0000000006250000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs QRN-CLJC-06112020149.PDF.exe
              Source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.249620145.0000000005670000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs QRN-CLJC-06112020149.PDF.exe
              Source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.252265585.0000000006350000.00000002.00000001.sdmpBinary or memory string: originalfilename vs QRN-CLJC-06112020149.PDF.exe
              Source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.252265585.0000000006350000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs QRN-CLJC-06112020149.PDF.exe
              Source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.248253061.00000000034D1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenamegGBfrdvzjTnMYYsrYcgGjNdaKrLUoCIJrGyRgJ.exe4 vs QRN-CLJC-06112020149.PDF.exe
              Source: QRN-CLJC-06112020149.PDF.exeBinary or memory string: OriginalFilename vs QRN-CLJC-06112020149.PDF.exe
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.512915861.00000000063F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs QRN-CLJC-06112020149.PDF.exe
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.511565740.00000000052A0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs QRN-CLJC-06112020149.PDF.exe
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.504281771.0000000000402000.00000040.00000001.sdmpBinary or memory string: OriginalFilenamegGBfrdvzjTnMYYsrYcgGjNdaKrLUoCIJrGyRgJ.exe4 vs QRN-CLJC-06112020149.PDF.exe
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.512807164.00000000063C0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamewshom.ocx.mui vs QRN-CLJC-06112020149.PDF.exe
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.512770176.00000000063B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameCRYPT32.DLL.MUIj% vs QRN-CLJC-06112020149.PDF.exe
              Source: QRN-CLJC-06112020149.PDF.exeBinary or memory string: OriginalFilenameb3Bd.exeN vs QRN-CLJC-06112020149.PDF.exe
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeSection loaded: windows.staterepositoryps.dll
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeSection loaded: security.dll
              Source: QRN-CLJC-06112020149.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: XwhZikir.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: 3.2.QRN-CLJC-06112020149.PDF.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: 3.2.QRN-CLJC-06112020149.PDF.exe.400000.0.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/5@3/2
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05BB1052 AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05BB101B AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_0269AF3E AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_0269AF07 AdjustTokenPrivileges,
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile created: C:\Users\user\AppData\Roaming\XwhZikir.exeJump to behavior
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeMutant created: \Sessions\1\BaseNamedObjects\ZcufQIP
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4480:120:WilError_01
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile created: C:\Users\user\AppData\Local\Temp\tmpF5B4.tmpJump to behavior
              Source: QRN-CLJC-06112020149.PDF.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: QRN-CLJC-06112020149.PDF.exeVirustotal: Detection: 52%
              Source: QRN-CLJC-06112020149.PDF.exeReversingLabs: Detection: 33%
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile read: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe 'C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe'
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XwhZikir' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5B4.tmp'
              Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XwhZikir' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5B4.tmp'
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess created: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: QRN-CLJC-06112020149.PDF.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll
              Source: QRN-CLJC-06112020149.PDF.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
              Source: Binary string: mscorrc.pdb source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.249620145.0000000005670000.00000002.00000001.sdmp, QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.512915861.00000000063F0000.00000002.00000001.sdmp
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_01706E79 push ebx; retf
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_01706E7C push ebx; retf
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_01709ADC push ebx; retf
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_01708EA1 push ebx; retf
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_01708EA4 push ebx; retf
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_01709A9D push ebx; retf
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05C3453B push ss; ret
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05C348A7 push ss; ret
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05C33B59 push edx; retf
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05C34687 push cs; ret
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05C3468F push 0000001Ah; ret
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05C34657 push 0000001Ah; ret
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_05C34A23 push ds; ret
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_02BDD0A1 push ss; retf
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_063A229F push ecx; ret
              Source: initial sampleStatic PE information: section name: .text entropy: 7.83443319066
              Source: initial sampleStatic PE information: section name: .text entropy: 7.83443319066
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile created: C:\Users\user\AppData\Roaming\XwhZikir.exeJump to dropped file

              Boot Survival:

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XwhZikir' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5B4.tmp'

              Hooking and other Techniques for Hiding and Protection:

              barindex
              Uses an obfuscated file name to hide its real file extension (double extension)Show sources
              Source: Possible double extension: pdf.exeStatic PE information: QRN-CLJC-06112020149.PDF.exe
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion:

              barindex
              Yara detected AntiVM_3Show sources
              Source: Yara matchFile source: 00000000.00000002.248253061.00000000034D1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.248377338.0000000003525000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: QRN-CLJC-06112020149.PDF.exe PID: 6128, type: MEMORY
              Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
              Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
              Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
              Source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.248253061.00000000034D1000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
              Source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.248253061.00000000034D1000.00000004.00000001.sdmpBinary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeThread delayed: delay time: 922337203685477
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 1528Thread sleep time: -54725s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 1528Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 724Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -922337203685477s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -30000s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -59406s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -58906s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -88080s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -87750s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -86109s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -57000s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -113000s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -110812s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -55000s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -53500s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -106440s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -106000s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -52406s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -77250s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -75609s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -69609s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -46000s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -44906s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -66750s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -66000s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -65109s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -64359s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -41406s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -61500s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -59859s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -39000s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -56859s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -55500s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -53859s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -35500s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -50859s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -33220s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -31626s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -31220s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -30720s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -30126s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -39939s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -39609s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -39189s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -36609s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -36330s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -34689s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -34359s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -33330s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -59814s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -59626s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -59126s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -57814s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -86439s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -85080s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -56314s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -83439s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -55220s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -54314s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -81189s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -52626s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -78189s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -51720s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -76500s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -50626s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -75189s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -49906s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -74250s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -49220s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -49000s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -48814s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -48626s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -72609s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -48126s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -47126s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -46906s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -46126s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -45814s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -45626s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -42626s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -42314s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -42126s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -41220s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -40126s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -39220s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -38814s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -57189s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -37720s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -35720s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -35000s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -34220s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -50580s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -33126s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -32906s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -31000s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -59314s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -58220s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -57126s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -56906s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -54500s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -53626s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -53406s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -52314s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -51220s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -47720s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -45314s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -45126s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -44220s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -43126s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -41814s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -39626s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -36126s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -34814s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -33500s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -31906s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -31720s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -31500s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -30814s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -30626s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe TID: 4532Thread sleep time: -30406s >= -30000s
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeLast function: Thread delayed
              Source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.248253061.00000000034D1000.00000004.00000001.sdmpBinary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.511565740.00000000052A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.248253061.00000000034D1000.00000004.00000001.sdmpBinary or memory string: vmware
              Source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.248253061.00000000034D1000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II|update users set password = @password where user_id = @user_id
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.511565740.00000000052A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.511565740.00000000052A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.248253061.00000000034D1000.00000004.00000001.sdmpBinary or memory string: VMWAREDSOFTWARE\VMware, Inc.\VMware Tools
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.511565740.00000000052A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess information queried: ProcessInformation
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 3_2_02BD33C8 LdrInitializeThunk,
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess token adjusted: Debug
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeMemory allocated: page read and write | page guard

              HIPS / PFW / Operating System Protection Evasion:

              barindex
              Injects a PE file into a foreign processesShow sources
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeMemory written: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe base: 400000 value starts with: 4D5A
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XwhZikir' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5B4.tmp'
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeProcess created: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.505534819.0000000001270000.00000002.00000001.sdmpBinary or memory string: uProgram Manager
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.505534819.0000000001270000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.505534819.0000000001270000.00000002.00000001.sdmpBinary or memory string: Progman
              Source: QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.505534819.0000000001270000.00000002.00000001.sdmpBinary or memory string: Progmanlock
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeCode function: 0_2_016FB0BE GetUserNameW,
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

              Stealing of Sensitive Information:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.504281771.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.248835494.00000000044D4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: QRN-CLJC-06112020149.PDF.exe PID: 4664, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: QRN-CLJC-06112020149.PDF.exe PID: 6128, type: MEMORY
              Source: Yara matchFile source: 3.2.QRN-CLJC-06112020149.PDF.exe.400000.0.unpack, type: UNPACKEDPE
              Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
              Tries to harvest and steal browser information (history, passwords, etc)Show sources
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
              Tries to harvest and steal ftp login credentialsShow sources
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
              Tries to steal Mail credentials (via file access)Show sources
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
              Source: C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
              Source: Yara matchFile source: 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: QRN-CLJC-06112020149.PDF.exe PID: 4664, type: MEMORY

              Remote Access Functionality:

              barindex
              Yara detected AgentTeslaShow sources
              Source: Yara matchFile source: 00000003.00000002.504281771.0000000000402000.00000040.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.248835494.00000000044D4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: QRN-CLJC-06112020149.PDF.exe PID: 4664, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: QRN-CLJC-06112020149.PDF.exe PID: 6128, type: MEMORY
              Source: Yara matchFile source: 3.2.QRN-CLJC-06112020149.PDF.exe.400000.0.unpack, type: UNPACKEDPE

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid AccountsWindows Management Instrumentation211DLL Side-Loading1DLL Side-Loading1Disable or Modify Tools1OS Credential Dumping2Account Discovery1Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default AccountsScheduled Task/Job1Scheduled Task/Job1Access Token Manipulation1Deobfuscate/Decode Files or Information1Credentials in Registry1File and Directory Discovery1Remote Desktop ProtocolData from Local System2Exfiltration Over BluetoothEncrypted Channel12Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain AccountsAt (Linux)Logon Script (Windows)Process Injection112Obfuscated Files or Information13Security Account ManagerSystem Information Discovery114SMB/Windows Admin SharesEmail Collection1Automated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)Scheduled Task/Job1Software Packing3NTDSQuery Registry1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDLL Side-Loading1LSA SecretsSecurity Software Discovery321SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.commonMasquerading11Cached Domain CredentialsVirtualization/Sandbox Evasion14VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup ItemsVirtualization/Sandbox Evasion14DCSyncProcess Discovery2Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobAccess Token Manipulation1Proc FilesystemSystem Owner/User Discovery1Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection112/etc/passwd and /etc/shadowRemote System Discovery1Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork SniffingSystem Network Configuration Discovery1Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 321395 Sample: QRN-CLJC-06112020149.PDF.exe Startdate: 21/11/2020 Architecture: WINDOWS Score: 100 28 g.msn.com 2->28 36 Found malware configuration 2->36 38 Multi AV Scanner detection for dropped file 2->38 40 Sigma detected: Scheduled temp file as task from temp location 2->40 42 12 other signatures 2->42 8 QRN-CLJC-06112020149.PDF.exe 7 2->8         started        signatures3 process4 file5 20 C:\Users\user\AppData\Roaming\XwhZikir.exe, PE32 8->20 dropped 22 C:\Users\...\XwhZikir.exe:Zone.Identifier, ASCII 8->22 dropped 24 C:\Users\user\AppData\Local\...\tmpF5B4.tmp, XML 8->24 dropped 26 C:\Users\...\QRN-CLJC-06112020149.PDF.exe.log, ASCII 8->26 dropped 44 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->44 46 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 8->46 48 Injects a PE file into a foreign processes 8->48 12 QRN-CLJC-06112020149.PDF.exe 15 8 8->12         started        16 schtasks.exe 1 8->16         started        signatures6 process7 dnsIp8 30 mail.privateemail.com 198.54.122.60, 49748, 49749, 587 NAMECHEAP-NETUS United States 12->30 32 elb097307-934924932.us-east-1.elb.amazonaws.com 54.243.161.145, 443, 49747 AMAZON-AESUS United States 12->32 34 2 other IPs or domains 12->34 50 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 12->50 52 Tries to steal Mail credentials (via file access) 12->52 54 Tries to harvest and steal ftp login credentials 12->54 56 Tries to harvest and steal browser information (history, passwords, etc) 12->56 18 conhost.exe 16->18         started        signatures9 process10

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.

              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              QRN-CLJC-06112020149.PDF.exe53%VirustotalBrowse
              QRN-CLJC-06112020149.PDF.exe33%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
              QRN-CLJC-06112020149.PDF.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\XwhZikir.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\XwhZikir.exe33%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

              Unpacked PE Files

              SourceDetectionScannerLabelLinkDownload
              3.2.QRN-CLJC-06112020149.PDF.exe.400000.0.unpack100%AviraTR/Spy.Gen8Download File

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              http://ocsp.com10%Avira URL Cloudsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#0%URL Reputationsafe
              http://127.0.0.1:HTTP/1.10%Avira URL Cloudsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              http://DynDns.comDynDNS0%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              https://sectigo.com/CPS00%URL Reputationsafe
              http://gWhdeq.com0%Avira URL Cloudsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              http://ocsp.sectigo.com00%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha0%URL Reputationsafe
              http://crt.sectigo.com/SectigoRSADomainValidationS3%VirustotalBrowse
              http://crt.sectigo.com/SectigoRSADomainValidationS0%Avira URL Cloudsafe
              http://z61os6wyor.com0%Avira URL Cloudsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe
              https://api.ipify.orgGETMozilla/5.00%URL Reputationsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              elb097307-934924932.us-east-1.elb.amazonaws.com
              		54.243.161.145
              		truefalse
                		high
                mail.privateemail.com
                		198.54.122.60
                		truefalse
                  		high
                  g.msn.com
                  		unknown
                  		unknownfalse
                    		high
                    api.ipify.org
                    		unknown
                    		unknownfalse
                      		high

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://ocsp.com1QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.512543715.0000000005F63000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      https://api.ipify.org/QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpfalse
                        		high
                        http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.509729422.0000000003211000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        • URL Reputation: safe
                        		unknown
                        http://127.0.0.1:HTTP/1.1QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpfalse
                        • Avira URL Cloud: safe
                        		low
                        https://api.ipify.orgQRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpfalse
                          		high
                          http://DynDns.comDynDNSQRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://sectigo.com/CPS0QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.509729422.0000000003211000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://gWhdeq.comQRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://ocsp.sectigo.com0QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.509729422.0000000003211000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%haQRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          https://api.telegram.org/bot%telegramapi%/QRN-CLJC-06112020149.PDF.exe, 00000000.00000002.248835494.00000000044D4000.00000004.00000001.sdmp, QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.504281771.0000000000402000.00000040.00000001.sdmpfalse
                            		high
                            http://crt.sectigo.com/SectigoRSADomainValidationSQRN-CLJC-06112020149.PDF.exe, 00000003.00000002.512543715.0000000005F63000.00000004.00000001.sdmpfalse
                            • 3%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://z61os6wyor.comQRN-CLJC-06112020149.PDF.exe, 00000003.00000002.509398240.00000000031E6000.00000004.00000001.sdmp, QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.509511016.00000000031F4000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://secure.comodo.com/CPS0QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpfalse
                              		high
                              https://api.telegram.org/bot%telegramapi%/sendDocumentdocument---------------------------xQRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpfalse
                                		high
                                https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipQRN-CLJC-06112020149.PDF.exe, 00000000.00000002.248835494.00000000044D4000.00000004.00000001.sdmp, QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.504281771.0000000000402000.00000040.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                https://api.ipify.org/(QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpfalse
                                  		high
                                  https://api.ipify.orgGETMozilla/5.0QRN-CLJC-06112020149.PDF.exe, 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmpfalse
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  • URL Reputation: safe
                                  		unknown

                                  Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public

                                  IPDomainCountryFlagASNASN NameMalicious
                                  54.243.161.145
                                  		unknownUnited States
                                  		14618AMAZON-AESUSfalse
                                  198.54.122.60
                                  		unknownUnited States
                                  		22612NAMECHEAP-NETUSfalse

                                  General Information

                                  Joe Sandbox Version:31.0.0 Red Diamond
                                  Analysis ID:321395
                                  Start date:21.11.2020
                                  Start time:09:24:52
                                  Joe Sandbox Product:CloudBasic
                                  Overall analysis duration:0h 7m 52s
                                  Hypervisor based Inspection enabled:false
                                  Report type:light
                                  Sample file name:QRN-CLJC-06112020149.PDF.exe
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                  Number of analysed new started processes analysed:24
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • HDC enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Detection:MAL
                                  Classification:mal100.troj.spyw.evad.winEXE@6/5@3/2
                                  EGA Information:Failed
                                  HDC Information:Failed
                                  HCA Information:
                                  • Successful, ratio: 99%
                                  • Number of executed functions: 0
                                  • Number of non-executed functions: 0
                                  Cookbook Comments:
                                  • Adjust boot time
                                  • Enable AMSI
                                  • Found application associated with file extension: .exe
                                  Warnings:
                                  Show All
                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, SgrmBroker.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe, wuapihost.exe
                                  • TCP Packets have been reduced to 100
                                  • Excluded IPs from analysis (whitelisted): 52.147.198.201, 13.88.21.125, 104.79.90.110, 51.104.144.132, 2.20.142.209, 2.20.142.210, 40.67.254.36, 52.155.217.156, 20.54.26.129, 52.142.114.176, 92.122.213.194, 92.122.213.247
                                  • Excluded domains from analysis (whitelisted): au.download.windowsupdate.com.edgesuite.net, arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wns.notify.windows.com.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, g-msn-com-nsatc.trafficmanager.net, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, par02p.wns.notify.windows.com.akadns.net, db5p.wns.notify.windows.com.akadns.net, emea1.notify.windows.com.akadns.net, audownload.windowsupdate.nsatc.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, fs.microsoft.com, displaycatalog.md.mp.microsoft.com.akadns.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, a767.dscg3.akamai.net, skypedataprdcoleus16.cloudapp.net, ris.api.iris.microsoft.com, blobcollector.events.data.trafficmanager.net, skypedataprdcolwus15.cloudapp.net
                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                  • Report size getting too big, too many NtQueryValueKey calls found.

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  09:25:48API Interceptor856x Sleep call for process: QRN-CLJC-06112020149.PDF.exe modified

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                  54.243.161.145REQUEST FOR QUOTATION-6container.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  Request for Quote.docGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  fw314FjnwM.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  mT4sVN5EMN.exeGet hashmaliciousBrowse
                                  • api.ipify.orghttp://api.ipify.org/?format=json
                                  SecuriteInfo.com.ArtemisA49347BCE7B1.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  JwzZ6mkzIG.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  scandocuments_pdf.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  RFQ_NEW029287652267.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  Delivery Note - AWD 200038485852- 234920301190.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  chibuike17.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  file.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  5fNtovgDmX.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  0Cnb8v0C53.exeGet hashmaliciousBrowse
                                  • api.ipify.org/?format=xml
                                  P9OFS5NEj0.exeGet hashmaliciousBrowse
                                  • api.ipify.org/?format=xml
                                  VRRh2DUTnA.exeGet hashmaliciousBrowse
                                  • api.ipify.org/?format=xml
                                  Payment.exeGet hashmaliciousBrowse
                                  • api.ipify.org/
                                  198.54.122.60Certificates Profile Details Of Our Company And About Us.exeGet hashmaliciousBrowse
                                    74725794.no.exeGet hashmaliciousBrowse
                                      Certificates Profile Details Of Our Company.exeGet hashmaliciousBrowse
                                        xgarnica.exeGet hashmaliciousBrowse
                                          mcaceres.exeGet hashmaliciousBrowse
                                            DHL-#AWB130501923096PDF.exeGet hashmaliciousBrowse
                                              Quote Request.xlsxGet hashmaliciousBrowse
                                                QRN-CLJC-06112020149.PDF.exeGet hashmaliciousBrowse
                                                  INFORMAC.EXEGet hashmaliciousBrowse
                                                    bOP3MQqNAK.exeGet hashmaliciousBrowse
                                                      E6YtI65Keq.exeGet hashmaliciousBrowse
                                                        OEF6v7cotZ.exeGet hashmaliciousBrowse
                                                          ZXzlzc794m.exeGet hashmaliciousBrowse
                                                            NHBXMZhKAy.exeGet hashmaliciousBrowse
                                                              PO-NM-30223 ( STH-JO-200960).exeGet hashmaliciousBrowse
                                                                RFQ.exeGet hashmaliciousBrowse
                                                                  SSG0987R544.DPF.exeGet hashmaliciousBrowse
                                                                    HIioiKLlx9.exeGet hashmaliciousBrowse
                                                                      PO74215.exeGet hashmaliciousBrowse
                                                                        aY9ySgsJXn.exeGet hashmaliciousBrowse

                                                                          Domains

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          elb097307-934924932.us-east-1.elb.amazonaws.comyQDGREHA9h.exeGet hashmaliciousBrowse
                                                                          • 54.235.83.248
                                                                          mcsrXx9lfD.exeGet hashmaliciousBrowse
                                                                          • 54.235.83.248
                                                                          SecuriteInfo.com.Trojan.PackedNET.461.20928.exeGet hashmaliciousBrowse
                                                                          • 23.21.42.25
                                                                          Defender-update-kit-x86x64.exeGet hashmaliciousBrowse
                                                                          • 54.225.153.147
                                                                          https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-usGet hashmaliciousBrowse
                                                                          • 54.225.66.103
                                                                          ORDER.exeGet hashmaliciousBrowse
                                                                          • 54.235.142.93
                                                                          Bill # 2.xlsxGet hashmaliciousBrowse
                                                                          • 23.21.42.25
                                                                          PO1.xlsxGet hashmaliciousBrowse
                                                                          • 174.129.214.20
                                                                          a7UZzCVWKO.exeGet hashmaliciousBrowse
                                                                          • 54.204.14.42
                                                                          QKLQkaCe9M.exeGet hashmaliciousBrowse
                                                                          • 50.19.252.36
                                                                          sAPuJAvs52.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          JlgyVmPWZr.exeGet hashmaliciousBrowse
                                                                          • 174.129.214.20
                                                                          EIUOzWW2JX.exeGet hashmaliciousBrowse
                                                                          • 174.129.214.20
                                                                          RVAgYSH2qh.exeGet hashmaliciousBrowse
                                                                          • 54.235.142.93
                                                                          yCyc4rN0u8.exeGet hashmaliciousBrowse
                                                                          • 54.235.83.248
                                                                          9cXAnovmQX.exeGet hashmaliciousBrowse
                                                                          • 54.225.66.103
                                                                          T2HDck1Mmy.exeGet hashmaliciousBrowse
                                                                          • 54.235.142.93
                                                                          Purchase Order.exeGet hashmaliciousBrowse
                                                                          • 54.225.66.103
                                                                          Payment Advice Note from 19.11.2020.exeGet hashmaliciousBrowse
                                                                          • 23.21.126.66
                                                                          phy__1__31629__2649094674__1605642612.exeGet hashmaliciousBrowse
                                                                          • 23.21.126.66
                                                                          mail.privateemail.comCertificates Profile Details Of Our Company And About Us.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          74725794.no.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          Certificates Profile Details Of Our Company.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          xgarnica.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          mcaceres.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          DHL-#AWB130501923096PDF.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          Quote Request.xlsxGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          QRN-CLJC-06112020149.PDF.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          INFORMAC.EXEGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          bOP3MQqNAK.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          E6YtI65Keq.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          OEF6v7cotZ.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          ZXzlzc794m.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          NHBXMZhKAy.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          PO-NM-30223 ( STH-JO-200960).exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          RFQ.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          SSG0987R544.DPF.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          HIioiKLlx9.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          PO74215.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          aY9ySgsJXn.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60

                                                                          ASN

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          AMAZON-AESUSPurchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                          • 52.71.133.130
                                                                          Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                          • 54.208.77.124
                                                                          Fennec Pharma .docxGet hashmaliciousBrowse
                                                                          • 54.84.56.113
                                                                          Fennec Pharma .docxGet hashmaliciousBrowse
                                                                          • 54.84.56.113
                                                                          Fennec Pharma.xlsxGet hashmaliciousBrowse
                                                                          • 54.84.56.113
                                                                          Fennec Pharma.xlsxGet hashmaliciousBrowse
                                                                          • 54.84.56.113
                                                                          https://albanesebros.sendx.io/lp/shared-doc.htmlGet hashmaliciousBrowse
                                                                          • 3.213.165.33
                                                                          http://www.openair.comGet hashmaliciousBrowse
                                                                          • 34.202.206.65
                                                                          https://faxfax.zizera.com/remittanceadviceGet hashmaliciousBrowse
                                                                          • 184.73.218.177
                                                                          http://webnavigator.coGet hashmaliciousBrowse
                                                                          • 34.235.7.64
                                                                          https://mcmms.typeform.com/to/Vtnb9OBCGet hashmaliciousBrowse
                                                                          • 34.200.62.85
                                                                          yQDGREHA9h.exeGet hashmaliciousBrowse
                                                                          • 54.235.83.248
                                                                          mcsrXx9lfD.exeGet hashmaliciousBrowse
                                                                          • 54.235.83.248
                                                                          SecuriteInfo.com.Trojan.PackedNET.461.20928.exeGet hashmaliciousBrowse
                                                                          • 23.21.42.25
                                                                          Defender-update-kit-x86x64.exeGet hashmaliciousBrowse
                                                                          • 54.225.153.147
                                                                          https://largemail.r1.rpost.net/files/7xU97qcFgCvB3Uv1wDC4qvS2ZriLfublohKWA5V3/ln/en-usGet hashmaliciousBrowse
                                                                          • 54.225.66.103
                                                                          ORDER.exeGet hashmaliciousBrowse
                                                                          • 54.235.142.93
                                                                          http://s1022.t.en25.com/e/er?s=1022&lid=2184&elqTrackId=BEDFF87609C7D9DEAD041308DD8FFFB8&lb_email=bkirwer%40farbestfoods.com&elq=b095bd096fb54161953a2cf8316b5d13&elqaid=3115&elqat=1Get hashmaliciousBrowse
                                                                          • 52.1.99.77
                                                                          Bill # 2.xlsxGet hashmaliciousBrowse
                                                                          • 23.21.42.25
                                                                          https://ubereats.app.link/cwmLFZfMz5?%243p=a_custom_354088&%24deeplink_path=promo%2Fapply%3FpromoCode%3DRECONFORT7&%24desktop_url=tracking.spectrumemp.com/el?aid=8feeb968-bdd0-11e8-b27f-22000be0a14e&rid=50048635&pid=285843&cid=513&dest=overlordscan.com/cmV0by5tZXR6bGVyQGlzb2x1dGlvbnMuY2g=%23#kkowfocjoyuynaip#Get hashmaliciousBrowse
                                                                          • 35.170.181.205
                                                                          NAMECHEAP-NETUSPurchase Order 40,7045$.exeGet hashmaliciousBrowse
                                                                          • 198.54.117.211
                                                                          Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                          • 198.54.117.212
                                                                          fqwBU8MyzT.rtfGet hashmaliciousBrowse
                                                                          • 162.0.232.118
                                                                          vOKMFxiCYt.exeGet hashmaliciousBrowse
                                                                          • 162.0.232.118
                                                                          http://rwiqipwvnklaqkuu.ltiliqhting.com/asci/SmFjcXVlbGluZS5TY2hyYWRlckByYWJvYmFuay5jb20=Get hashmaliciousBrowse
                                                                          • 198.54.120.245
                                                                          Payment conflict- aptiv 082920134110.htmGet hashmaliciousBrowse
                                                                          • 198.54.116.10
                                                                          Payment-244581781.docGet hashmaliciousBrowse
                                                                          • 198.187.29.39
                                                                          Order List.xlsxGet hashmaliciousBrowse
                                                                          • 198.54.117.216
                                                                          https://u19114248.ct.sendgrid.net/ls/click?upn=1kMFt-2Foese19BdzKqBBNxmUiDNiO3l4ozyKR3JHYHjGXyXtR1YgfLizwybC7hwFoy4wlb-2FUZczInc9Ssmzz4dQ-3D-3DuU6r_TCf26aIMQHFUMJSqtVnzlcWBqfQpkiFxCOBj9heiSevnqRkiapxQjkatt3r5u5xw-2FNDgXhA220pIRwcKmyMneET98pBkuhL-2FUwJCaSrvE5mZhnMBtJdZf9Opljklq5t7Y-2BINqElPIJU8bjYLY27qV6L-2FSwA36husfmMqwKagSwOgE04FdniEmY9uEbym50XNhqKw9lgczv6HrSrYNm6ouXnIayW-2FSBLzGYxoTYKe6OA-3DGet hashmaliciousBrowse
                                                                          • 198.54.114.178
                                                                          Certificates Profile Details Of Our Company And About Us.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          Final-Payment-Receipt.exeGet hashmaliciousBrowse
                                                                          • 162.0.236.49
                                                                          Payment Advice.xlsGet hashmaliciousBrowse
                                                                          • 185.61.154.32
                                                                          Payment Advice.xlsGet hashmaliciousBrowse
                                                                          • 185.61.154.32
                                                                          Payment Advice.xlsGet hashmaliciousBrowse
                                                                          • 185.61.154.32
                                                                          Documentation.478396766.docGet hashmaliciousBrowse
                                                                          • 198.187.31.83
                                                                          Documentation.478396766.docGet hashmaliciousBrowse
                                                                          • 192.64.118.88
                                                                          tl2gnGyMz6eLhZG.exeGet hashmaliciousBrowse
                                                                          • 104.219.248.45
                                                                          Purchase Order 40,7045.exeGet hashmaliciousBrowse
                                                                          • 185.61.154.55
                                                                          74725794.no.exeGet hashmaliciousBrowse
                                                                          • 198.54.122.60
                                                                          Payment Advice - Advice Ref GLV823990339.exeGet hashmaliciousBrowse
                                                                          • 198.54.120.58

                                                                          JA3 Fingerprints

                                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                          3b5074b1b5d032e5620f69f9f700ff0eyQDGREHA9h.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          mcsrXx9lfD.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          SecuriteInfo.com.Trojan.PackedNET.461.20928.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          ARjQJiNmBs.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          1piS4PBvBp.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          ORDER.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          a7UZzCVWKO.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          QKLQkaCe9M.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          sAPuJAvs52.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          JlgyVmPWZr.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          EIUOzWW2JX.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          yCyc4rN0u8.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          9cXAnovmQX.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          T2HDck1Mmy.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          Payment Advice Note from 19.11.2020.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          PO N0.1500243224._PDF.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          zRHI9DJ0YKIPfBX.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          chib(1).exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          dede.exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145
                                                                          obi(1).exeGet hashmaliciousBrowse
                                                                          • 54.243.161.145

                                                                          Dropped Files

                                                                          No context

                                                                          Created / dropped Files

                                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\QRN-CLJC-06112020149.PDF.exe.log
                                                                          Process:C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:modified
                                                                          Size (bytes):664
                                                                          Entropy (8bit):5.288448637977022
                                                                          Encrypted:false
                                                                          SSDEEP:12:Q3LaJU20NaL10Ug+9Yz9t0U29hJ5g1B0U2ukyrFk70U2xANlW3ANv:MLF20NaL3z2p29hJ5g522rW2xAi3A9
                                                                          MD5:B1DB55991C3DA14E35249AEA1BC357CA
                                                                          SHA1:0DD2D91198FDEF296441B12F1A906669B279700C
                                                                          SHA-256:34D3E48321D5010AD2BD1F3F0B728077E4F5A7F70D66FA36B57E5209580B6BDC
                                                                          SHA-512:BE38A31888C9C2F8047FA9C99672CB985179D325107514B7500DDA9523AE3E1D20B45EACC4E6C8A5D096360D0FBB98A120E63F38FFE324DF8A0559F6890CC801
                                                                          Malicious:true
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview: 1,"fusion","GAC",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System\1ffc437de59fb69ba2b865ffdc98ffd1\System.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\cd7c74fce2a0eab72cd25cbe4bb61614\Microsoft.VisualBasic.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\54d944b3ca0ea1188d700fbd8089726b\System.Drawing.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\bd8d59c984c9f5f2695f64341115cdf0\System.Windows.Forms.ni.dll",0..3,"C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\35774dc3cd31b4550ab06c3354cf4ba5\System.Runtime.Remoting.ni.dll",0..
                                                                          C:\Users\user\AppData\Local\Temp\tmpF5B4.tmp
                                                                          Process:C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe
                                                                          File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):1657
                                                                          Entropy (8bit):5.1727086987515705
                                                                          Encrypted:false
                                                                          SSDEEP:24:2dH4+SEqC/dp7hdMlNMFpdU/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBctn:cbhH7MlNQ8/rydbz9I3YODOLNdq3M
                                                                          MD5:DFF0C5D55DC1C14F7C3AF9CE63D4AB0D
                                                                          SHA1:F2A1480D0F5BEF7F65E33B08ACF3A939ECC2B2E1
                                                                          SHA-256:7AC292D8D1EEB9830381CEBFC7C5F519FA1B2DCDA65C585CC9A44EEFE7761C2B
                                                                          SHA-512:3771F6CA9654DE7A331C0F4BD276CE18AA90497335FECC2184F3C59E865D5573A7B74AC8BF21226385C9147D55C4AE9B42F94562FFE025BA11851BDD10AB317F
                                                                          Malicious:true
                                                                          Reputation:low
                                                                          Preview: <?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAv
                                                                          C:\Users\user\AppData\Roaming\XwhZikir.exe
                                                                          Process:C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe
                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Category:dropped
                                                                          Size (bytes):813568
                                                                          Entropy (8bit):7.826575098416478
                                                                          Encrypted:false
                                                                          SSDEEP:12288:XAxd7LKgnXbr1BzSJeq/sQwINAj+IKCXc1G4ZE2YwhOTuXP9upRIkqW7otI:XAL6wltiJkNzjdQG4ZXD8iXYMIKI
                                                                          MD5:CDEFE555B30AA451BE1C4B519CCAA9A3
                                                                          SHA1:DDE5A61B58CE44A985EE7CA8D4A789140063616C
                                                                          SHA-256:67BFF3C99F10C2B189DF24202F66A3901D355847AFEE7DE4F66C78AFF794C923
                                                                          SHA-512:702CF45DD352D8E03D30E830A25B28E82696850AF72C7486BE0D42E32F208B2A669368879C19379CEA543F92CC9539D5E1347217A10FF96363B3F2519B01CBAA
                                                                          Malicious:true
                                                                          Antivirus:
                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                          • Antivirus: ReversingLabs, Detection: 33%
                                                                          Reputation:low
                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P..^...........}... ........@.. ....................................@.................................P}..O.................................................................................... ............... ..H............text....]... ...^.................. ..`.rsrc................`..............@..@.reloc...............h..............@..B.................}......H.......d..............Pi...............................................0............(....(..........(.....o.....*.....................(.......( ......(!......("......(#....*N..(....o....($....*&..(%....*.s&........s'........s(........s)........s*........*....0...........~....o+....+..*.0...........~....o,....+..*.0...........~....o-....+..*.0...........~....o.....+..*.0...........~....o/....+..*.0..<........~.....(0.....,!r...p.....(1...o2...s3............~.....+..*.0......
                                                                          C:\Users\user\AppData\Roaming\XwhZikir.exe:Zone.Identifier
                                                                          Process:C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe
                                                                          File Type:ASCII text, with CRLF line terminators
                                                                          Category:dropped
                                                                          Size (bytes):26
                                                                          Entropy (8bit):3.95006375643621
                                                                          Encrypted:false
                                                                          SSDEEP:3:ggPYV:rPYV
                                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                          Malicious:true
                                                                          Reputation:high, very likely benign file
                                                                          Preview: [ZoneTransfer]....ZoneId=0
                                                                          C:\Users\user\AppData\Roaming\eeoodpic.1mz\Chrome\Default\Cookies
                                                                          Process:C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe
                                                                          File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                          Category:dropped
                                                                          Size (bytes):20480
                                                                          Entropy (8bit):0.6969296358976265
                                                                          Encrypted:false
                                                                          SSDEEP:24:TLbJLbXaFpEO5bNmISHn06UwcQPx5fBo2+tYeF+X:T5LLOpEO5J/Kn7U1uBo2UYeQ
                                                                          MD5:A9DBC7B8E523ABE3B02D77DBF2FCD645
                                                                          SHA1:DF5EE16ECF4B3B02E312F935AE81D4C5D2E91CA8
                                                                          SHA-256:39B4E45A062DEA6F541C18FA1A15C5C0DB43A59673A26E2EB5B8A4345EE767AE
                                                                          SHA-512:3CF87455263E395313E779D4F440D8405D86244E04B5F577BB9FA2F4A2069DE019D340F6B2F6EF420DEE3D3DEEFD4B58DA3FCA3BB802DE348E1A810D6379CC3B
                                                                          Malicious:false
                                                                          Reputation:moderate, very likely benign file
                                                                          Preview: SQLite format 3......@ ..........................................................................C....... ..g... .8....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                          Static File Info

                                                                          General

                                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                          Entropy (8bit):7.826575098416478
                                                                          TrID:
                                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                                          • Win32 Executable (generic) a (10002005/4) 49.75%
                                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                          • Windows Screen Saver (13104/52) 0.07%
                                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                                          File name:QRN-CLJC-06112020149.PDF.exe
                                                                          File size:813568
                                                                          MD5:cdefe555b30aa451be1c4b519ccaa9a3
                                                                          SHA1:dde5a61b58ce44a985ee7ca8d4a789140063616c
                                                                          SHA256:67bff3c99f10c2b189df24202f66a3901d355847afee7de4f66c78aff794c923
                                                                          SHA512:702cf45dd352d8e03d30e830a25b28e82696850af72c7486be0d42e32f208b2a669368879c19379cea543f92cc9539d5e1347217a10ff96363b3f2519b01cbaa
                                                                          SSDEEP:12288:XAxd7LKgnXbr1BzSJeq/sQwINAj+IKCXc1G4ZE2YwhOTuXP9upRIkqW7otI:XAL6wltiJkNzjdQG4ZXD8iXYMIKI
                                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......_..............P..^...........}... ........@.. ....................................@................................

                                                                          File Icon

                                                                          Icon Hash:00828e8e8686b000

                                                                          Static PE Info

                                                                          General

                                                                          Entrypoint:0x4c7da2
                                                                          Entrypoint Section:.text
                                                                          Digitally signed:false
                                                                          Imagebase:0x400000
                                                                          Subsystem:windows gui
                                                                          Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                                          DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
                                                                          Time Stamp:0x5FB79382 [Fri Nov 20 09:59:30 2020 UTC]
                                                                          TLS Callbacks:
                                                                          CLR (.Net) Version:v2.0.50727
                                                                          OS Version Major:4
                                                                          OS Version Minor:0
                                                                          File Version Major:4
                                                                          File Version Minor:0
                                                                          Subsystem Version Major:4
                                                                          Subsystem Version Minor:0
                                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                          Entrypoint Preview

                                                                          Instruction
                                                                          jmp dword ptr [00402000h]
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al
                                                                          add byte ptr [eax], al

                                                                          Data Directories

                                                                          NameVirtual AddressVirtual Size Is in Section
                                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc7d500x4f.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc80000x608.rsrc
                                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xca0000xc.reloc
                                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                          Sections

                                                                          NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                          .text0x20000xc5da80xc5e00False0.828046036008data7.83443319066IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                                          .rsrc0xc80000x6080x800False0.333984375data3.45453132973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                          .reloc0xca0000xc0x200False0.044921875data0.0980041756627IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                          Resources

                                                                          NameRVASizeTypeLanguageCountry
                                                                          RT_VERSION0xc80900x378data
                                                                          RT_MANIFEST0xc84180x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                                          Imports

                                                                          DLLImport
                                                                          mscoree.dll_CorExeMain

                                                                          Version Infos

                                                                          DescriptionData
                                                                          Translation0x0000 0x04b0
                                                                          LegalCopyrightCopyright 2009 GateWay Apply
                                                                          Assembly Version5.0.3.0
                                                                          InternalNameb3Bd.exe
                                                                          FileVersion5.0.0.0
                                                                          CompanyNameGateWay Apply
                                                                          LegalTrademarks
                                                                          Comments
                                                                          ProductNameQusar BDJob Management
                                                                          ProductVersion5.0.0.0
                                                                          FileDescriptionQusar BDJob Management
                                                                          OriginalFilenameb3Bd.exe

                                                                          Network Behavior

                                                                          Network Port Distribution

                                                                          TCP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 21, 2020 09:27:18.192522049 CET49747443192.168.2.754.243.161.145
                                                                          Nov 21, 2020 09:27:18.294951916 CET4434974754.243.161.145192.168.2.7
                                                                          Nov 21, 2020 09:27:18.295063972 CET49747443192.168.2.754.243.161.145
                                                                          Nov 21, 2020 09:27:18.357414961 CET49747443192.168.2.754.243.161.145
                                                                          Nov 21, 2020 09:27:18.459834099 CET4434974754.243.161.145192.168.2.7
                                                                          Nov 21, 2020 09:27:18.459892988 CET4434974754.243.161.145192.168.2.7
                                                                          Nov 21, 2020 09:27:18.459911108 CET4434974754.243.161.145192.168.2.7
                                                                          Nov 21, 2020 09:27:18.459953070 CET4434974754.243.161.145192.168.2.7
                                                                          Nov 21, 2020 09:27:18.459963083 CET49747443192.168.2.754.243.161.145
                                                                          Nov 21, 2020 09:27:18.459965944 CET4434974754.243.161.145192.168.2.7
                                                                          Nov 21, 2020 09:27:18.460035086 CET49747443192.168.2.754.243.161.145
                                                                          Nov 21, 2020 09:27:18.461131096 CET4434974754.243.161.145192.168.2.7
                                                                          Nov 21, 2020 09:27:18.502279997 CET49747443192.168.2.754.243.161.145
                                                                          Nov 21, 2020 09:27:18.604996920 CET4434974754.243.161.145192.168.2.7
                                                                          Nov 21, 2020 09:27:18.651643991 CET49747443192.168.2.754.243.161.145
                                                                          Nov 21, 2020 09:27:18.682792902 CET49747443192.168.2.754.243.161.145
                                                                          Nov 21, 2020 09:27:18.788206100 CET4434974754.243.161.145192.168.2.7
                                                                          Nov 21, 2020 09:27:18.839154005 CET49747443192.168.2.754.243.161.145
                                                                          Nov 21, 2020 09:27:22.156596899 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:22.324255943 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:22.324426889 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:22.493100882 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:22.497212887 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:22.664403915 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:22.664596081 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:22.665035963 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:22.832288980 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:22.833358049 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:23.000614882 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.002482891 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.002502918 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.002515078 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.002526045 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.002659082 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:23.040076971 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:23.207391024 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.208277941 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.208312988 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.208493948 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:23.227200031 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:23.394568920 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.394866943 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.395863056 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:23.563060045 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.565426111 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.565884113 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:23.733217955 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.735497952 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.736067057 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:23.903297901 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.907161951 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:23.907991886 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:24.075160027 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:24.115935087 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:24.116437912 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:24.283616066 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:24.285295963 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:24.287934065 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:24.288211107 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:24.288391113 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:24.288578033 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:24.455068111 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:24.455212116 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:24.455327988 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:24.455537081 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:24.502146006 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:24.542758942 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:24.705236912 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:24.706397057 CET49749587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:24.871182919 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:24.871296883 CET49749587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:24.872343063 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:24.872786045 CET58749748198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:24.872859001 CET49748587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:25.036874056 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:25.037481070 CET49749587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:25.201610088 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:25.201838970 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:25.202136040 CET49749587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:25.366183996 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:25.367031097 CET49749587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:25.531219959 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:25.531275988 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:25.531296015 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:25.531512976 CET49749587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:25.534564018 CET49749587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:25.536571980 CET49749587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:25.698688984 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:25.698735952 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:25.700448990 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:25.700792074 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:25.701545000 CET49749587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:25.865628004 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:25.866852045 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:25.867408037 CET49749587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:26.031650066 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:26.035135031 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:26.035531044 CET49749587192.168.2.7198.54.122.60
                                                                          Nov 21, 2020 09:27:26.199805975 CET58749749198.54.122.60192.168.2.7
                                                                          Nov 21, 2020 09:27:26.202466965 CET58749749198.54.122.60192.168.2.7

                                                                          UDP Packets

                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                          Nov 21, 2020 09:25:42.707818985 CET5432953192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:25:42.734991074 CET53543298.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:25:43.447550058 CET5805253192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:25:43.474596977 CET53580528.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:25:44.651257992 CET5400853192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:25:44.678397894 CET53540088.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:25:45.795574903 CET5945153192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:25:45.822757006 CET53594518.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:25:47.166912079 CET5291453192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:25:47.202555895 CET53529148.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:25:48.808952093 CET6456953192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:25:48.836057901 CET53645698.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:25:50.345596075 CET5281653192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:25:50.381453991 CET53528168.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:25:51.491879940 CET5078153192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:25:51.518984079 CET53507818.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:25:52.833378077 CET5423053192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:25:52.860532045 CET53542308.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:25:53.851005077 CET5491153192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:25:53.878101110 CET53549118.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:25:54.648602009 CET4995853192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:25:54.675689936 CET53499588.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:25:55.853594065 CET5086053192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:25:55.889377117 CET53508608.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:25:56.513628960 CET5045253192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:25:56.540740967 CET53504528.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:25:59.628086090 CET5973053192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:25:59.663594007 CET53597308.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:13.417721987 CET5931053192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:13.453461885 CET53593108.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:31.607011080 CET5191953192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:31.644329071 CET53519198.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:33.014739037 CET6429653192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:33.067392111 CET53642968.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:35.065587044 CET5668053192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:35.101301908 CET53566808.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:35.512938976 CET5882053192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:35.548549891 CET53588208.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:35.989327908 CET6098353192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:36.028019905 CET53609838.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:36.322974920 CET4924753192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:36.358740091 CET53492478.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:36.614655018 CET5228653192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:36.660595894 CET53522868.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:36.702131987 CET5606453192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:36.737735033 CET53560648.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:37.120349884 CET6374453192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:37.157901049 CET53637448.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:37.759391069 CET6145753192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:37.786513090 CET53614578.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:38.517909050 CET5836753192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:38.544979095 CET53583678.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:39.565310955 CET6059953192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:39.592513084 CET53605998.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:40.546679020 CET5957153192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:40.573904991 CET53595718.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:42.512928009 CET5268953192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:42.563261986 CET53526898.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:26:43.213361025 CET5029053192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:26:43.250516891 CET53502908.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:27:10.861074924 CET6042753192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:27:10.896924973 CET53604278.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:27:18.139945984 CET5620953192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:27:18.166903973 CET53562098.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:27:21.173374891 CET5958253192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:27:22.154793024 CET53595828.8.8.8192.168.2.7
                                                                          Nov 21, 2020 09:27:33.820509911 CET6094953192.168.2.78.8.8.8
                                                                          Nov 21, 2020 09:27:33.847554922 CET53609498.8.8.8192.168.2.7

                                                                          DNS Queries

                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                          Nov 21, 2020 09:26:42.512928009 CET192.168.2.78.8.8.80xc2cStandard query (0)g.msn.comA (IP address)IN (0x0001)
                                                                          Nov 21, 2020 09:27:18.139945984 CET192.168.2.78.8.8.80xe4c8Standard query (0)api.ipify.orgA (IP address)IN (0x0001)
                                                                          Nov 21, 2020 09:27:21.173374891 CET192.168.2.78.8.8.80x23a4Standard query (0)mail.privateemail.comA (IP address)IN (0x0001)

                                                                          DNS Answers

                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                          Nov 21, 2020 09:26:42.563261986 CET8.8.8.8192.168.2.70xc2cNo error (0)g.msn.comg-msn-com-nsatc.trafficmanager.netCNAME (Canonical name)IN (0x0001)
                                                                          Nov 21, 2020 09:27:18.166903973 CET8.8.8.8192.168.2.70xe4c8No error (0)api.ipify.orgnagano-19599.herokussl.comCNAME (Canonical name)IN (0x0001)
                                                                          Nov 21, 2020 09:27:18.166903973 CET8.8.8.8192.168.2.70xe4c8No error (0)nagano-19599.herokussl.comelb097307-934924932.us-east-1.elb.amazonaws.comCNAME (Canonical name)IN (0x0001)
                                                                          Nov 21, 2020 09:27:18.166903973 CET8.8.8.8192.168.2.70xe4c8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.243.161.145A (IP address)IN (0x0001)
                                                                          Nov 21, 2020 09:27:18.166903973 CET8.8.8.8192.168.2.70xe4c8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.153.147A (IP address)IN (0x0001)
                                                                          Nov 21, 2020 09:27:18.166903973 CET8.8.8.8192.168.2.70xe4c8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.252.4A (IP address)IN (0x0001)
                                                                          Nov 21, 2020 09:27:18.166903973 CET8.8.8.8192.168.2.70xe4c8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.182.194A (IP address)IN (0x0001)
                                                                          Nov 21, 2020 09:27:18.166903973 CET8.8.8.8192.168.2.70xe4c8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.235.83.248A (IP address)IN (0x0001)
                                                                          Nov 21, 2020 09:27:18.166903973 CET8.8.8.8192.168.2.70xe4c8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com54.225.169.28A (IP address)IN (0x0001)
                                                                          Nov 21, 2020 09:27:18.166903973 CET8.8.8.8192.168.2.70xe4c8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com23.21.42.25A (IP address)IN (0x0001)
                                                                          Nov 21, 2020 09:27:18.166903973 CET8.8.8.8192.168.2.70xe4c8No error (0)elb097307-934924932.us-east-1.elb.amazonaws.com174.129.214.20A (IP address)IN (0x0001)
                                                                          Nov 21, 2020 09:27:22.154793024 CET8.8.8.8192.168.2.70x23a4No error (0)mail.privateemail.com198.54.122.60A (IP address)IN (0x0001)

                                                                          HTTPS Packets

                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                          Nov 21, 2020 09:27:18.461131096 CET54.243.161.145443192.168.2.749747CN=*.ipify.org, OU=PositiveSSL Wildcard, OU=Domain Control Validated CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBWed Jan 24 01:00:00 CET 2018 Wed Feb 12 01:00:00 CET 2014 Tue Jan 19 01:00:00 CET 2010Sun Jan 24 00:59:59 CET 2021 Mon Feb 12 00:59:59 CET 2029 Tue Jan 19 00:59:59 CET 2038771,49196-49195-49200-49199-159-158-49188-49187-49192-49191-49162-49161-49172-49171-157-156-61-60-53-47-10,0-10-11-13-35-23-65281,29-23-24,03b5074b1b5d032e5620f69f9f700ff0e
                                                                          CN=COMODO RSA Domain Validation Secure Server CA, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBWed Feb 12 01:00:00 CET 2014Mon Feb 12 00:59:59 CET 2029
                                                                          CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBTue Jan 19 01:00:00 CET 2010Tue Jan 19 00:59:59 CET 2038

                                                                          SMTP Packets

                                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                                          Nov 21, 2020 09:27:22.493100882 CET58749748198.54.122.60192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                          Nov 21, 2020 09:27:22.497212887 CET49748587192.168.2.7198.54.122.60EHLO 715575
                                                                          Nov 21, 2020 09:27:22.664596081 CET58749748198.54.122.60192.168.2.7250-mta-13.privateemail.com
                                                                          250-PIPELINING
                                                                          250-SIZE 81788928
                                                                          250-ETRN
                                                                          250-AUTH PLAIN LOGIN
                                                                          250-ENHANCEDSTATUSCODES
                                                                          250-8BITMIME
                                                                          250 STARTTLS
                                                                          Nov 21, 2020 09:27:22.665035963 CET49748587192.168.2.7198.54.122.60STARTTLS
                                                                          Nov 21, 2020 09:27:22.832288980 CET58749748198.54.122.60192.168.2.7220 Ready to start TLS
                                                                          Nov 21, 2020 09:27:25.036874056 CET58749749198.54.122.60192.168.2.7220 PrivateEmail.com prod Mail Node
                                                                          Nov 21, 2020 09:27:25.037481070 CET49749587192.168.2.7198.54.122.60EHLO 715575
                                                                          Nov 21, 2020 09:27:25.201838970 CET58749749198.54.122.60192.168.2.7250-mta-13.privateemail.com
                                                                          250-PIPELINING
                                                                          250-SIZE 81788928
                                                                          250-ETRN
                                                                          250-AUTH PLAIN LOGIN
                                                                          250-ENHANCEDSTATUSCODES
                                                                          250-8BITMIME
                                                                          250 STARTTLS
                                                                          Nov 21, 2020 09:27:25.202136040 CET49749587192.168.2.7198.54.122.60STARTTLS
                                                                          Nov 21, 2020 09:27:25.366183996 CET58749749198.54.122.60192.168.2.7220 Ready to start TLS

                                                                          Code Manipulations

                                                                          Statistics

                                                                          Behavior

                                                                          Click to jump to process

                                                                          System Behavior

                                                                          Analysis Process: QRN-CLJC-06112020149.PDF.exe PID: 6128 Parent PID: 5656

                                                                          General

                                                                          Start time:09:25:47
                                                                          Start date:21/11/2020
                                                                          Path:C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe'
                                                                          Imagebase:0xd40000
                                                                          File size:813568 bytes
                                                                          MD5 hash:CDEFE555B30AA451BE1C4B519CCAA9A3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.248253061.00000000034D1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.248835494.00000000044D4000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.248377338.0000000003525000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Analysis Process: schtasks.exe PID: 5500 Parent PID: 6128

                                                                          General

                                                                          Start time:09:25:49
                                                                          Start date:21/11/2020
                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\XwhZikir' /XML 'C:\Users\user\AppData\Local\Temp\tmpF5B4.tmp'
                                                                          Imagebase:0x280000
                                                                          File size:185856 bytes
                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: conhost.exe PID: 4480 Parent PID: 5500

                                                                          General

                                                                          Start time:09:25:50
                                                                          Start date:21/11/2020
                                                                          Path:C:\Windows\System32\conhost.exe
                                                                          Wow64 process (32bit):false
                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                          Imagebase:0x7ff774ee0000
                                                                          File size:625664 bytes
                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:C, C++ or other language
                                                                          Reputation:high

                                                                          Analysis Process: QRN-CLJC-06112020149.PDF.exe PID: 4664 Parent PID: 6128

                                                                          General

                                                                          Start time:09:25:50
                                                                          Start date:21/11/2020
                                                                          Path:C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe
                                                                          Wow64 process (32bit):true
                                                                          Commandline:C:\Users\user\Desktop\QRN-CLJC-06112020149.PDF.exe
                                                                          Imagebase:0x690000
                                                                          File size:813568 bytes
                                                                          MD5 hash:CDEFE555B30AA451BE1C4B519CCAA9A3
                                                                          Has elevated privileges:true
                                                                          Has administrator privileges:true
                                                                          Programmed in:.Net C# or VB.NET
                                                                          Yara matches:
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.504281771.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000003.00000002.508154788.00000000030B1000.00000004.00000001.sdmp, Author: Joe Security
                                                                          Reputation:low

                                                                          Disassembly

                                                                          Code Analysis

                                                                          Reset < >