Loading ...

Play interactive tourEdit tour

Analysis Report checklist pdf.exe

Overview

General Information

Sample Name:checklist pdf.exe
Analysis ID:323809
MD5:33fb3c28df0f678c7c6ef72e7e748cb1
SHA1:ab7fbfdaf59bf4d6c79bb7acf2b59dad316675f9
SHA256:5295f63f8452d5ac0fc3577cb720949db21efe807059e0a74cadd4d9bbbc941f
Tags:exeNanoCore

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM_3
Yara detected Nanocore RAT
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • checklist pdf.exe (PID: 4728 cmdline: 'C:\Users\user\Desktop\checklist pdf.exe' MD5: 33FB3C28DF0F678C7C6EF72E7E748CB1)
    • schtasks.exe (PID: 6100 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)
      • conhost.exe (PID: 6132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x130445:$x1: NanoCore.ClientPluginHost
    • 0x130482:$x2: IClientNetworkHost
    • 0x133fb5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 19 entries

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      3.2.checklist pdf.exe.5440000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xe75:$x1: NanoCore.ClientPluginHost
      • 0xe8f:$x2: IClientNetworkHost
      3.2.checklist pdf.exe.5440000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xe75:$x2: NanoCore.ClientPluginHost
      • 0x1261:$s3: PipeExists
      • 0x1136:$s4: PipeCreated
      • 0xeb0:$s5: IClientLoggingHost
      3.2.checklist pdf.exe.59b0000.6.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
      • 0xd9ad:$x1: NanoCore.ClientPluginHost
      • 0xd9da:$x2: IClientNetworkHost
      3.2.checklist pdf.exe.59b0000.6.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
      • 0xd9ad:$x2: NanoCore.ClientPluginHost
      • 0xea88:$s4: PipeCreated
      • 0xd9c7:$s5: IClientLoggingHost
      3.2.checklist pdf.exe.59b0000.6.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
        Click to see the 7 entries

        Sigma Overview

        System Summary:

        barindex
        Sigma detected: NanoCoreShow sources
        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\checklist pdf.exe, ProcessId: 4648, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
        Sigma detected: Scheduled temp file as task from temp locationShow sources
        Source: Process startedAuthor: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\checklist pdf.exe' , ParentImage: C:\Users\user\Desktop\checklist pdf.exe, ParentProcessId: 4728, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp', ProcessId: 6100

        Signature Overview

        Click to jump to signature section

        Show All Signature Results

        AV Detection:

        barindex
        Multi AV Scanner detection for dropped fileShow sources
        Source: C:\Users\user\AppData\Roaming\PUalpOJIfJW.exeReversingLabs: Detection: 37%
        Multi AV Scanner detection for submitted fileShow sources
        Source: checklist pdf.exeVirustotal: Detection: 32%Perma Link
        Source: checklist pdf.exeReversingLabs: Detection: 37%
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY
        Source: Yara matchFile source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE
        Source: 3.2.checklist pdf.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
        Source: 3.2.checklist pdf.exe.59b0000.6.unpackAvira: Label: TR/NanoCore.fadte
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 4x nop then jmp 04B4C14Ch0_2_04B4B3AC

        Networking:

        barindex
        Uses dynamic DNS servicesShow sources
        Source: unknownDNS query: name: kingman1.ddns.net
        Source: global trafficTCP traffic: 192.168.2.5:49704 -> 194.5.98.129:4545
        Source: Joe Sandbox ViewASN Name: DANILENKODE DANILENKODE
        Source: unknownDNS traffic detected: queries for: kingman1.ddns.net
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://fontfabrik.com
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
        Source: checklist pdf.exe, 00000000.00000003.236008822.0000000004E63000.00000004.00000001.sdmpString found in binary or memory: http://www.carterandcone.coma
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.carterandcone.coml
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
        Source: checklist pdf.exe, 00000000.00000003.246990634.0000000004E50000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.coma
        Source: checklist pdf.exe, 00000000.00000003.246990634.0000000004E50000.00000004.00000001.sdmpString found in binary or memory: http://www.fontbureau.come.comE
        Source: checklist pdf.exe, 00000000.00000002.247712407.0000000000D27000.00000004.00000040.sdmpString found in binary or memory: http://www.fonts.com
        Source: checklist pdf.exe, 00000000.00000003.235767459.0000000004E5F000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.c&
        Source: checklist pdf.exe, 00000000.00000003.235767459.0000000004E5F000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
        Source: checklist pdf.exe, 00000000.00000003.235767459.0000000004E5F000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnM1
        Source: checklist pdf.exe, 00000000.00000003.235869978.0000000004E63000.00000004.00000001.sdmpString found in binary or memory: http://www.founder.com.cn/cnb-n
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.goodfont.co.kr
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
        Source: checklist pdf.exe, 00000000.00000003.236732753.0000000004E5D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/)
        Source: checklist pdf.exe, 00000000.00000003.236619084.0000000004E57000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/E
        Source: checklist pdf.exe, 00000000.00000003.236448569.0000000004E5D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/H
        Source: checklist pdf.exe, 00000000.00000003.236369930.0000000004E56000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/P
        Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/X
        Source: checklist pdf.exe, 00000000.00000003.236732753.0000000004E5D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0
        Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0/E
        Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/Y0s
        Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/
        Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/H
        Source: checklist pdf.exe, 00000000.00000003.236619084.0000000004E57000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/J
        Source: checklist pdf.exe, 00000000.00000003.236517335.0000000004E5C000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/jp/v
        Source: checklist pdf.exe, 00000000.00000003.236448569.0000000004E5D000.00000004.00000001.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/v
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.sajatypeworks.com
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.sakkal.com
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.sandoll.co.kr
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.tiro.com
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.typography.netD
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.urwpp.deDPlease
        Source: checklist pdf.exe, 00000000.00000002.251725059.0000000004F40000.00000002.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
        Source: checklist pdf.exe, 00000000.00000003.235981732.0000000004E64000.00000004.00000001.sdmpString found in binary or memory: http://www.zhongyicts.com.cna
        Source: checklist pdf.exeString found in binary or memory: https://api.coinmarketcap.com/v1/ticker/
        Source: checklist pdf.exeString found in binary or memory: https://coinmarketcap.com/api/

        Key, Mouse, Clipboard, Microphone and Screen Capturing:

        barindex
        Contains functionality to log keystrokes (.Net Source)Show sources
        Source: PUalpOJIfJW.exe.0.dr, Utilities/GlobalKeyboardHook.cs.Net Code: Hook
        Source: 0.0.checklist pdf.exe.2f0000.0.unpack, Utilities/GlobalKeyboardHook.cs.Net Code: Hook
        Source: 0.2.checklist pdf.exe.2f0000.0.unpack, Utilities/GlobalKeyboardHook.cs.Net Code: Hook
        Source: 3.2.checklist pdf.exe.a00000.1.unpack, Utilities/GlobalKeyboardHook.cs.Net Code: Hook
        Source: checklist pdf.exe, 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

        E-Banking Fraud:

        barindex
        Yara detected Nanocore RATShow sources
        Source: Yara matchFile source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORY
        Source: Yara matchFile source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPE
        Source: Yara matchFile source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPE

        System Summary:

        barindex
        Malicious sample detected (through community Yara rule)Show sources
        Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: 3.2.checklist pdf.exe.5440000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
        Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_066A1A36 NtQuerySystemInformation,0_2_066A1A36
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_066A1A05 NtQuerySystemInformation,0_2_066A1A05
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_052C136A NtQuerySystemInformation,3_2_052C136A
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_052C132F NtQuerySystemInformation,3_2_052C132F
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_04B414B00_2_04B414B0
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_04B49CC10_2_04B49CC1
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_04B4B3AC0_2_04B4B3AC
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_04B427E40_2_04B427E4
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_04B44B300_2_04B44B30
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_04B49CF80_2_04B49CF8
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_04B4A1C70_2_04B4A1C7
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_04B49D1C0_2_04B49D1C
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_01377ABE3_2_01377ABE
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_052684683_2_05268468
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_052690683_2_05269068
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_052623A03_2_052623A0
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_05262FA83_2_05262FA8
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_0526AEF83_2_0526AEF8
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_0526912F3_2_0526912F
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_0526306F3_2_0526306F
        Source: checklist pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: PUalpOJIfJW.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
        Source: checklist pdf.exeBinary or memory string: OriginalFilename vs checklist pdf.exe
        Source: checklist pdf.exe, 00000000.00000002.247125807.00000000002F2000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamez3 vs checklist pdf.exe
        Source: checklist pdf.exe, 00000000.00000002.253340179.00000000065F0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs checklist pdf.exe
        Source: checklist pdf.exe, 00000000.00000002.253869691.0000000006800000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameB2B.exe4 vs checklist pdf.exe
        Source: checklist pdf.exe, 00000000.00000002.254721885.0000000006FD0000.00000002.00000001.sdmpBinary or memory string: originalfilename vs checklist pdf.exe
        Source: checklist pdf.exe, 00000000.00000002.254721885.0000000006FD0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs checklist pdf.exe
        Source: checklist pdf.exe, 00000000.00000002.254226045.0000000006ED0000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs checklist pdf.exe
        Source: checklist pdf.exe, 00000000.00000002.253421979.0000000006650000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameMARCUS.dll4 vs checklist pdf.exe
        Source: checklist pdf.exeBinary or memory string: OriginalFilename vs checklist pdf.exe
        Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs checklist pdf.exe
        Source: checklist pdf.exe, 00000003.00000002.509231793.00000000052B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameuser32j% vs checklist pdf.exe
        Source: checklist pdf.exe, 00000003.00000002.501952278.0000000000A02000.00000002.00020000.sdmpBinary or memory string: OriginalFilenamez3 vs checklist pdf.exe
        Source: checklist pdf.exe, 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameClientPlugin.dll4 vs checklist pdf.exe
        Source: checklist pdf.exe, 00000003.00000002.510102364.00000000055B0000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamemscorrc.dllT vs checklist pdf.exe
        Source: checklist pdf.exe, 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameLzma#.dll4 vs checklist pdf.exe
        Source: checklist pdf.exe, 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs checklist pdf.exe
        Source: checklist pdf.exeBinary or memory string: OriginalFilenamez3 vs checklist pdf.exe
        Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.501688763.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.249652144.00000000039C9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.509908735.0000000005440000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 00000003.00000002.508000940.0000000004267000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000000.00000002.250632075.0000000003BB3000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 00000003.00000002.510380996.00000000059B0000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: Process Memory Space: checklist pdf.exe PID: 4648, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: 3.2.checklist pdf.exe.5440000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.checklist pdf.exe.5440000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.checklist pdf.exe.59b0000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.checklist pdf.exe.59b0000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
        Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
        Source: 3.2.checklist pdf.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
        Source: checklist pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: PUalpOJIfJW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
        Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'CreateDecryptor'
        Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.csCryptographic APIs: 'TransformFinalBlock'
        Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/4@23/2
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_066A18BA AdjustTokenPrivileges,0_2_066A18BA
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_066A1883 AdjustTokenPrivileges,0_2_066A1883
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_052C112A AdjustTokenPrivileges,3_2_052C112A
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_052C10F3 AdjustTokenPrivileges,3_2_052C10F3
        Source: C:\Users\user\Desktop\checklist pdf.exeFile created: C:\Users\user\AppData\Roaming\PUalpOJIfJW.exeJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeMutant created: \Sessions\1\BaseNamedObjects\kDLjLtOaX
        Source: C:\Users\user\Desktop\checklist pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6132:120:WilError_01
        Source: C:\Users\user\Desktop\checklist pdf.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{4e4bd5d9-18d3-437e-8c11-5aa0bfb7769c}
        Source: C:\Users\user\Desktop\checklist pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpECD4.tmpJump to behavior
        Source: checklist pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
        Source: C:\Users\user\Desktop\checklist pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: checklist pdf.exeVirustotal: Detection: 32%
        Source: checklist pdf.exeReversingLabs: Detection: 37%
        Source: C:\Users\user\Desktop\checklist pdf.exeFile read: C:\Users\user\Desktop\checklist pdf.exeJump to behavior
        Source: unknownProcess created: C:\Users\user\Desktop\checklist pdf.exe 'C:\Users\user\Desktop\checklist pdf.exe'
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp'
        Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Users\user\Desktop\checklist pdf.exe {path}
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess created: C:\Users\user\Desktop\checklist pdf.exe {path}Jump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32Jump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
        Source: checklist pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
        Source: C:\Users\user\Desktop\checklist pdf.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
        Source: checklist pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
        Source: Binary string: mscorrc.pdb source: checklist pdf.exe, 00000000.00000002.253340179.00000000065F0000.00000002.00000001.sdmp, checklist pdf.exe, 00000003.00000002.510102364.00000000055B0000.00000002.00000001.sdmp

        Data Obfuscation:

        barindex
        .NET source code contains potential unpackerShow sources
        Source: PUalpOJIfJW.exe.0.dr, SimpleTickerWindowsForms/SimpleTickerView.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.0.checklist pdf.exe.2f0000.0.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 0.2.checklist pdf.exe.2f0000.0.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.checklist pdf.exe.a00000.1.unpack, SimpleTickerWindowsForms/SimpleTickerView.cs.Net Code: dddddddddddd System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_00A628AC push cs; ret 0_2_00A629AA
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_00A62C71 push es; ret 0_2_00A62C72
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 0_2_04B4575F push ecx; iretd 0_2_04B45760
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_01362BBD push cs; ret 3_2_01362BEA
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_01362BEC push cs; ret 3_2_01362BEA
        Source: initial sampleStatic PE information: section name: .text entropy: 7.54197829505
        Source: initial sampleStatic PE information: section name: .text entropy: 7.54197829505
        Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.csHigh entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
        Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.csHigh entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
        Source: C:\Users\user\Desktop\checklist pdf.exeFile created: C:\Users\user\AppData\Roaming\PUalpOJIfJW.exeJump to dropped file

        Boot Survival:

        barindex
        Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
        Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp'

        Hooking and other Techniques for Hiding and Protection:

        barindex
        Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
        Source: C:\Users\user\Desktop\checklist pdf.exeFile opened: C:\Users\user\Desktop\checklist pdf.exe:Zone.Identifier read attributes | deleteJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

        Malware Analysis System Evasion:

        barindex
        Yara detected AntiVM_3Show sources
        Source: Yara matchFile source: 00000000.00000002.248350217.0000000002A3E000.00000004.00000001.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: checklist pdf.exe PID: 4728, type: MEMORY
        Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAME
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: WINE_GET_UNIX_FILE_NAMEX1(R_
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLL
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: SBIEDLL.DLLX1(R(X
        Source: C:\Users\user\Desktop\checklist pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}Jump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeWindow / User API: threadDelayed 745Jump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeWindow / User API: foregroundWindowGot 948Jump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5356Thread sleep time: -41500s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5604Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5456Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5456Thread sleep count: 194 > 30Jump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5456Thread sleep count: 745 > 30Jump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exe TID: 2268Thread sleep count: 316 > 30Jump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exe TID: 5456Thread sleep count: 83 > 30Jump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exe TID: 4440Thread sleep time: -220000s >= -30000sJump to behavior
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Users\user\Desktop\checklist pdf.exeCode function: 3_2_052C0DB6 GetSystemInfo,3_2_052C0DB6
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: VMware|9(r
        Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: VMWAREX1(riy
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: QEMUX1(rX
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA IIX1(r
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: VMWARE
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: VMWARE|9(r
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: (r#"SOFTWARE\VMware, Inc.\VMware ToolsX1(rDy
        Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
        Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: vmwareX1(r{~
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: VMware
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: VMware |9(r
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: VMware SVGA II
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
        Source: checklist pdf.exe, 00000000.00000002.249543827.0000000002D4D000.00000004.00000001.sdmpBinary or memory string: (r&%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\X1(r
        Source: checklist pdf.exe, 00000003.00000003.256504161.0000000001209000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
        Source: checklist pdf.exe, 00000003.00000002.510666524.0000000006600000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeMemory allocated: page read and write | page guardJump to behavior

        HIPS / PFW / Operating System Protection Evasion:

        barindex
        .NET source code references suspicious native API functionsShow sources
        Source: PUalpOJIfJW.exe.0.dr, Utilities/GlobalKeyboardHook.csReference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32.dll')
        Source: 0.0.checklist pdf.exe.2f0000.0.unpack, Utilities/GlobalKeyboardHook.csReference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32.dll')
        Source: 0.2.checklist pdf.exe.2f0000.0.unpack, Utilities/GlobalKeyboardHook.csReference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32.dll')
        Source: 3.2.checklist pdf.exe.a00000.1.unpack, Utilities/GlobalKeyboardHook.csReference to suspicious API methods: ('LoadLibrary', 'LoadLibrary@kernel32.dll')
        Source: 3.2.checklist pdf.exe.400000.0.unpack, u0023u003dqjryTBW16mUfo_ItH9KWoGQu003du003d.csReference to suspicious API methods: ('#=qxG$Aklpbf6gyBfAqTMmORA==', 'OpenProcess@kernel32.dll'), ('#=qh7diH14jww3Fm9rMJ_jIfQ==', 'FindResourceEx@kernel32.dll')
        Injects a PE file into a foreign processesShow sources
        Source: C:\Users\user\Desktop\checklist pdf.exeMemory written: C:\Users\user\Desktop\checklist pdf.exe base: 400000 value starts with: 4D5AJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\PUalpOJIfJW' /XML 'C:\Users\user\AppData\Local\Temp\tmpECD4.tmp'Jump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeProcess created: C:\Users\user\Desktop\checklist pdf.exe {path}Jump to behavior
        Source: checklist pdf.exe, 00000003.00000003.256504161.0000000001209000.00000004.00000001.sdmpBinary or memory string: Program Manager
        Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
        Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmpBinary or memory string: Progman
        Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
        Source: checklist pdf.exe, 00000003.00000002.507713873.000000000343B000.00000004.00000001.sdmpBinary or memory string: Program Manager0
        Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
        Source: checklist pdf.exe, 00000003.00000002.503557397.00000000017A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
        Source: C:\Users\user\Desktop\checklist pdf.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
        Source: C:\Users\user\Desktop\checklist pdf.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation