Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report PO#4018-308875.pdf.exe

Overview

General Information

Sample Name:PO#4018-308875.pdf.exe
Analysis ID:341926
MD5:d90049e2aff303588e499820e0d9078c
SHA1:1153f298db7e6aeed9c3a55c907dfa474ae9155f
SHA256:761e77be2bbf6089f04b1901c44548bd4ff5ac873a74b1ca0e0604bb902eff22
Tags:exeNanoCoreRAT

Most interesting Screenshot:

Detection

Nanocore
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected Nanocore Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: NanoCore
Yara detected Nanocore RAT
.NET source code contains very large array initializations
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Uses an obfuscated file name to hide its real file extension (double extension)
Uses dynamic DNS services
Writes to foreign memory regions
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to launch a process as a different user
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE file contains strange resources
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Startup

  • System is w10x64
  • PO#4018-308875.pdf.exe (PID: 6080 cmdline: 'C:\Users\user\Desktop\PO#4018-308875.pdf.exe' MD5: D90049E2AFF303588E499820E0D9078C)
    • cmd.exe (PID: 5444 cmdline: 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe' MD5: F3BDBE3BB6F734E357235F4D5898582D)
      • conhost.exe (PID: 5952 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • reg.exe (PID: 4636 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe' MD5: CEE2A7E57DF2A159A065A34913A055C2)
    • gfrdeswaq.exe (PID: 6764 cmdline: 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe' MD5: D90049E2AFF303588E499820E0D9078C)
      • InstallUtil.exe (PID: 6280 cmdline: C:\Users\user\AppData\Local\Temp\InstallUtil.exe MD5: EFEC8C379D165E3F33B536739AEE26A3)
  • cleanup

Malware Configuration

Threatname: NanoCore

{"C2: ": ["185.162.88.26"], "Version: ": "NanoCore Client, Version=1.2.2.0"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
  • 0xff8d:$x1: NanoCore.ClientPluginHost
  • 0xffca:$x2: IClientNetworkHost
  • 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmpJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
    00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmpNanoCoreunknown Kevin Breen <kevin@techanarchy.net>
    • 0xfcf5:$a: NanoCore
    • 0xfd05:$a: NanoCore
    • 0xff39:$a: NanoCore
    • 0xff4d:$a: NanoCore
    • 0xff8d:$a: NanoCore
    • 0xfd54:$b: ClientPlugin
    • 0xff56:$b: ClientPlugin
    • 0xff96:$b: ClientPlugin
    • 0xfe7b:$c: ProjectData
    • 0x10882:$d: DESCrypto
    • 0x1824e:$e: KeepAlive
    • 0x1623c:$g: LogClientMessage
    • 0x12437:$i: get_Connected
    • 0x10bb8:$j: #=q
    • 0x10be8:$j: #=q
    • 0x10c04:$j: #=q
    • 0x10c34:$j: #=q
    • 0x10c50:$j: #=q
    • 0x10c6c:$j: #=q
    • 0x10c9c:$j: #=q
    • 0x10cb8:$j: #=q
    00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmpNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmpNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    Click to see the 18 entries

    Unpacked PEs

    SourceRuleDescriptionAuthorStrings
    25.2.InstallUtil.exe.5010000.3.raw.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0xe75:$x1: NanoCore.ClientPluginHost
    • 0xe8f:$x2: IClientNetworkHost
    25.2.InstallUtil.exe.5010000.3.raw.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xe75:$x2: NanoCore.ClientPluginHost
    • 0x1261:$s3: PipeExists
    • 0x1136:$s4: PipeCreated
    • 0xeb0:$s5: IClientLoggingHost
    25.2.InstallUtil.exe.400000.0.unpackNanocore_RAT_Gen_2Detetcs the Nanocore RATFlorian Roth
    • 0x1018d:$x1: NanoCore.ClientPluginHost
    • 0x101ca:$x2: IClientNetworkHost
    • 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
    25.2.InstallUtil.exe.400000.0.unpackNanocore_RAT_Feb18_1Detects Nanocore RATFlorian Roth
    • 0xff05:$x1: NanoCore Client.exe
    • 0x1018d:$x2: NanoCore.ClientPluginHost
    • 0x117c6:$s1: PluginCommand
    • 0x117ba:$s2: FileCommand
    • 0x1266b:$s3: PipeExists
    • 0x18422:$s4: PipeCreated
    • 0x101b7:$s5: IClientLoggingHost
    25.2.InstallUtil.exe.400000.0.unpackJoeSecurity_NanocoreYara detected Nanocore RATJoe Security
      Click to see the 7 entries

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: NanoCoreShow sources
      Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\AppData\Local\Temp\InstallUtil.exe, ProcessId: 6280, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

      Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Found malware configurationShow sources
      Source: InstallUtil.exe.6280.25.memstrMalware Configuration Extractor: NanoCore {"C2: ": ["185.162.88.26"], "Version: ": "NanoCore Client, Version=1.2.2.0"}
      Multi AV Scanner detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeReversingLabs: Detection: 15%
      Multi AV Scanner detection for submitted fileShow sources
      Source: PO#4018-308875.pdf.exeReversingLabs: Detection: 15%
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY
      Source: Yara matchFile source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE
      Source: 25.2.InstallUtil.exe.400000.0.unpackAvira: Label: TR/Dropper.MSIL.Gen7
      Source: 25.2.InstallUtil.exe.5220000.6.unpackAvira: Label: TR/NanoCore.fadte

      Compliance:

      barindex
      Uses 32bit PE filesShow sources
      Source: PO#4018-308875.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Contains modern PE file flags such as dynamic base (ASLR) or NXShow sources
      Source: PO#4018-308875.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Binary contains paths to debug symbolsShow sources
      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000000.412603173.0000000000502000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov esp, ebp
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then jmp 0550205Eh
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then lea esp, dword ptr [ebp-08h]
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then push dword ptr [ebp-24h]
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then xor edx, edx
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then xor edx, edx
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then push dword ptr [ebp-20h]
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then push dword ptr [ebp-24h]
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then jmp 05AE205Eh
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then push dword ptr [ebp-20h]
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then push dword ptr [ebp-24h]
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then xor edx, edx
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then xor edx, edx
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-18h], 00000000h
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then push dword ptr [ebp-20h]
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 7FFFFFFFh
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 4x nop then jmp 05AE205Eh

      Networking:

      barindex
      C2 URLs / IPs found in malware configurationShow sources
      Source: Malware configuration extractorIPs: 185.162.88.26
      Uses dynamic DNS servicesShow sources
      Source: unknownDNS query: name: fenixalec.ddns.net
      Source: global trafficTCP traffic: 192.168.2.5:49729 -> 185.162.88.26:20911
      Source: Joe Sandbox ViewASN Name: AS40676US AS40676US
      Source: unknownDNS traffic detected: queries for: fenixalec.ddns.net
      Source: PO#4018-308875.pdf.exe, 00000000.00000003.331443931.00000000014C9000.00000004.00000001.sdmpString found in binary or memory: http://ns.ado/Ident
      Source: InstallUtil.exe, 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmpBinary or memory string: RegisterRawInputDevices

      E-Banking Fraud:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY
      Source: Yara matchFile source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORYMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORYMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 25.2.InstallUtil.exe.5010000.3.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
      Source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      Source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPEMatched rule: Detetcs the Nanocore RAT Author: Florian Roth
      .NET source code contains very large array initializationsShow sources
      Source: PO#4018-308875.pdf.exe, Cx1/r2K.csLarge array initialization: .cctor: array initializer size 2491
      Source: gfrdeswaq.exe.0.dr, Cx1/r2K.csLarge array initialization: .cctor: array initializer size 2491
      Source: 0.0.PO#4018-308875.pdf.exe.9d0000.0.unpack, Cx1/r2K.csLarge array initialization: .cctor: array initializer size 2491
      Source: 0.2.PO#4018-308875.pdf.exe.9d0000.0.unpack, Cx1/r2K.csLarge array initialization: .cctor: array initializer size 2491
      Source: 20.2.gfrdeswaq.exe.e50000.0.unpack, Cx1/r2K.csLarge array initialization: .cctor: array initializer size 2491
      Initial sample is a PE file and has a suspicious nameShow sources
      Source: initial sampleStatic PE information: Filename: PO#4018-308875.pdf.exe
      Source: initial sampleStatic PE information: Filename: PO#4018-308875.pdf.exe
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A13F34 CreateProcessAsUserW,
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013BC02F
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013B8BD0
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013B5AD0
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013B54AB
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013BB4F8
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013BD760
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013B18F8
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013B0C40
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013BAF38
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_0550D5D8
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_05500040
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_05502088
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_05501889
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_0550D5C8
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_055074D8
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_055074C9
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_05502078
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_05500006
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_0550E0E8
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_05507E75
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_03263318
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_03268BD0
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326C040
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326D770
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326B548
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_032654B8
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326C02F
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326AF38
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326D760
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_03260CB0
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326B4F8
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A16D28
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A14438
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A10040
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A11B00
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A12230
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A17958
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A13800
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A10006
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A13810
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A13388
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A13398
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A15BE0
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A14EE8
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A11AF1
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05A12220
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AEF6A8
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AED180
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE2088
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE0040
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AEECC0
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE7E90
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE1898
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE74CB
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE74D8
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AED170
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE0006
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE2078
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE7E80
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_05AE1889
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_005020B0
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04DFE480
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04DFE471
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04DFBBD4
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04F7F5F8
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04F79788
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04F7A610
      Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\InstallUtil.exe 46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
      Source: PO#4018-308875.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PO#4018-308875.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PO#4018-308875.pdf.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: gfrdeswaq.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: gfrdeswaq.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: gfrdeswaq.exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.333040710.0000000001430000.00000002.00000001.sdmpBinary or memory string: System.OriginalFileName vs PO#4018-308875.pdf.exe
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.336488472.0000000003DF1000.00000004.00000001.sdmpBinary or memory string: OriginalFilenameSHCore1.dll0 vs PO#4018-308875.pdf.exe
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.333139108.0000000001490000.00000002.00000001.sdmpBinary or memory string: originalfilename vs PO#4018-308875.pdf.exe
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.333139108.0000000001490000.00000002.00000001.sdmpBinary or memory string: OriginalFilenamepropsys.dll.mui@ vs PO#4018-308875.pdf.exe
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmpBinary or memory string: OriginalFilenameKernelbase.dll.muij% vs PO#4018-308875.pdf.exe
      Source: PO#4018-308875.pdf.exeStatic PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
      Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORYMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORYMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 25.2.InstallUtil.exe.5010000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 25.2.InstallUtil.exe.5010000.3.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
      Source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
      Source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPEMatched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
      Source: classification engineClassification label: mal100.troj.evad.winEXE@10/5@9/2
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile created: C:\Users\user\AppData\Roaming\gfrdeswaq.exeJump to behavior
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeMutant created: \Sessions\1\BaseNamedObjects\Global\{4c844ad7-de78-4c04-815b-d468ebb89811}
      Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5952:120:WilError_01
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to behavior
      Source: PO#4018-308875.pdf.exeStatic PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
      Source: PO#4018-308875.pdf.exeReversingLabs: Detection: 15%
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile read: C:\Users\user\Desktop\PO#4018-308875.pdf.exeJump to behavior
      Source: unknownProcess created: C:\Users\user\Desktop\PO#4018-308875.pdf.exe 'C:\Users\user\Desktop\PO#4018-308875.pdf.exe'
      Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
      Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      Source: unknownProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Roaming\gfrdeswaq.exe 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
      Source: unknownProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess created: C:\Users\user\AppData\Roaming\gfrdeswaq.exe 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll
      Source: PO#4018-308875.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
      Source: PO#4018-308875.pdf.exeStatic PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
      Source: Binary string: InstallUtil.pdb\rvr hr_CorExeMainmscoree.dll source: InstallUtil.exe, 00000019.00000000.412603173.0000000000502000.00000002.00020000.sdmp, InstallUtil.exe.0.dr
      Source: Binary string: InstallUtil.pdb source: InstallUtil.exe, InstallUtil.exe.0.dr
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_009D2AD4 pushad ; retf
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_009D2ED1 push edx; ret
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_009D36CC push eax; retf
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_009D21C5 push ebx; ret
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013B15A0 pushad ; iretd
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_013B161F pushad ; iretd
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeCode function: 0_2_0550C2B8 push 5DE58B90h; ret
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_00E521C5 push ebx; ret
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_00E536CC push eax; retf
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_00E52AD4 pushad ; retf
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_00E52ED1 push edx; ret
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeCode function: 20_2_0326161F pushad ; iretd
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeCode function: 25_2_04F769F8 pushad ; retf
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\InstallUtil.exeJump to dropped file
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile created: C:\Users\user\AppData\Roaming\gfrdeswaq.exeJump to dropped file
      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run olkkmmxxzaaJump to behavior
      Source: C:\Windows\SysWOW64\reg.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run olkkmmxxzaaJump to behavior

      Hooking and other Techniques for Hiding and Protection:

      barindex
      Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile opened: C:\Users\user\Desktop\PO#4018-308875.pdf.exe\:Zone.Identifier read attributes | delete
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeFile opened: C:\Users\user\AppData\Roaming\gfrdeswaq.exe\:Zone.Identifier read attributes | delete
      Uses an obfuscated file name to hide its real file extension (double extension)Show sources
      Source: Possible double extension: pdf.exeStatic PE information: PO#4018-308875.pdf.exe
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess information set: NOOPENFILEERRORBOX
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeThread delayed: delay time: 922337203685477
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeWindow / User API: threadDelayed 2655
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeWindow / User API: threadDelayed 7155
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeWindow / User API: threadDelayed 8964
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeWindow / User API: threadDelayed 840
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 1392
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: threadDelayed 8306
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeWindow / User API: foregroundWindowGot 750
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 5928Thread sleep time: -11068046444225724s >= -30000s
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 5928Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 4528Thread sleep count: 2655 > 30
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exe TID: 4528Thread sleep count: 7155 > 30
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6940Thread sleep time: -12912720851596678s >= -30000s
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6940Thread sleep time: -30000s >= -30000s
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6944Thread sleep count: 8964 > 30
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6944Thread sleep count: 840 > 30
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exe TID: 6940Thread sleep count: 45 > 30
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exe TID: 6312Thread sleep time: -2767011611056431s >= -30000s
      Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: VMware
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: vmware svga
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.342115569.0000000008108000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\Device\CdRom0\??\Volume{e6e9dfd8-98f2-11e9-90ce-806e6f6e6963}\DosDevices\D:
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.235703391.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.629244850.0000000006330000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: vmware
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.336488472.0000000003DF1000.00000004.00000001.sdmp, gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: tpautoconnsvc#Microsoft Hyper-V
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.336488472.0000000003DF1000.00000004.00000001.sdmp, gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: cmd.txtQEMUqemu
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.336488472.0000000003DF1000.00000004.00000001.sdmp, gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: vmusrvc
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: vmsrvc
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: vmtools
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: vmware sata5vmware usb pointing device-vmware vmci bus deviceCvmware virtual s scsi disk device
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: vboxservicevbox)Microsoft Virtual PC
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.235703391.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.629244850.0000000006330000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.235703391.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.629244850.0000000006330000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
      Source: gfrdeswaq.exe, 00000014.00000002.627687152.0000000004321000.00000004.00000001.sdmpBinary or memory string: virtual-vmware pointing device
      Source: PO#4018-308875.pdf.exe, 00000000.00000002.341746042.0000000005530000.00000002.00000001.sdmp, reg.exe, 00000004.00000002.235703391.0000000001140000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.629244850.0000000006330000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess information queried: ProcessInformation
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess token adjusted: Debug
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeProcess token adjusted: Debug
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeMemory allocated: page read and write | page guard

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Allocates memory in foreign processesShow sources
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeMemory allocated: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 protect: page execute and read and write
      Injects a PE file into a foreign processesShow sources
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000 value starts with: 4D5A
      Writes to foreign memory regionsShow sources
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 400000
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 402000
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 420000
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 422000
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeMemory written: C:\Users\user\AppData\Local\Temp\InstallUtil.exe base: 68C008
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeProcess created: C:\Users\user\AppData\Roaming\gfrdeswaq.exe 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
      Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeProcess created: C:\Users\user\AppData\Local\Temp\InstallUtil.exe C:\Users\user\AppData\Local\Temp\InstallUtil.exe
      Source: InstallUtil.exe, 00000019.00000002.625145136.0000000002DAD000.00000004.00000001.sdmpBinary or memory string: Program Manager
      Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
      Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmpBinary or memory string: Progman
      Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmpBinary or memory string: SProgram Managerl
      Source: InstallUtil.exe, 00000019.00000002.629234238.0000000005F6E000.00000004.00000001.sdmpBinary or memory string: Program Manager0
      Source: InstallUtil.exe, 00000019.00000002.622561201.0000000002A9B000.00000004.00000001.sdmpBinary or memory string: Program Managerx
      Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd,
      Source: gfrdeswaq.exe, 00000014.00000002.620841266.0000000001CF0000.00000002.00000001.sdmp, InstallUtil.exe, 00000019.00000002.621252206.00000000012F0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
      Source: InstallUtil.exe, 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmpBinary or memory string: Program Manager`
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeQueries volume information: C:\Users\user\Desktop\PO#4018-308875.pdf.exe VolumeInformation
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeQueries volume information: C:\Users\user\AppData\Roaming\gfrdeswaq.exe VolumeInformation
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Roaming\gfrdeswaq.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Users\user\AppData\Local\Temp\InstallUtil.exe VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
      Source: C:\Users\user\AppData\Local\Temp\InstallUtil.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
      Source: C:\Users\user\Desktop\PO#4018-308875.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

      Stealing of Sensitive Information:

      barindex
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY
      Source: Yara matchFile source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE

      Remote Access Functionality:

      barindex
      Detected Nanocore RatShow sources
      Source: InstallUtil.exe, 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmpString found in binary or memory: NanoCore.ClientPluginHost
      Source: InstallUtil.exe, 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmpString found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
      Yara detected Nanocore RATShow sources
      Source: Yara matchFile source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, type: MEMORY
      Source: Yara matchFile source: Process Memory Space: InstallUtil.exe PID: 6280, type: MEMORY
      Source: Yara matchFile source: 25.2.InstallUtil.exe.400000.0.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.unpack, type: UNPACKEDPE
      Source: Yara matchFile source: 25.2.InstallUtil.exe.5220000.6.raw.unpack, type: UNPACKEDPE

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid Accounts1Windows Management InstrumentationValid Accounts1Valid Accounts1Masquerading11Input Capture11Query Registry1Remote ServicesInput Capture11Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScheduled Task/JobRegistry Run Keys / Startup Folder1Access Token Manipulation1Valid Accounts1LSASS MemorySecurity Software Discovery111Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsAt (Linux)Logon Script (Windows)Process Injection312Modify Registry1Security Account ManagerVirtualization/Sandbox Evasion3SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsAt (Windows)Logon Script (Mac)Registry Run Keys / Startup Folder1Access Token Manipulation1NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptVirtualization/Sandbox Evasion3LSA SecretsApplication Window Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol21Manipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonDisable or Modify Tools1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsProcess Injection312DCSyncSystem Information Discovery12Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
      Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobHidden Files and Directories1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
      Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Obfuscated Files or Information12/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
      Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Software Packing1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet
      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 341926 Sample: PO#4018-308875.pdf.exe Startdate: 20/01/2021 Architecture: WINDOWS Score: 100 39 fenixalec.ddns.net 2->39 41 Found malware configuration 2->41 43 Malicious sample detected (through community Yara rule) 2->43 45 Multi AV Scanner detection for submitted file 2->45 47 8 other signatures 2->47 8 PO#4018-308875.pdf.exe 5 2->8         started        signatures3 process4 file5 27 C:\Users\user\AppData\Roaming\gfrdeswaq.exe, PE32 8->27 dropped 29 C:\Users\user\AppData\...\InstallUtil.exe, PE32 8->29 dropped 31 C:\Users\...\gfrdeswaq.exe:Zone.Identifier, ASCII 8->31 dropped 33 C:\Users\user\...\PO#4018-308875.pdf.exe.log, ASCII 8->33 dropped 49 Hides that the sample has been downloaded from the Internet (zone.identifier) 8->49 12 gfrdeswaq.exe 2 8->12         started        15 cmd.exe 1 8->15         started        signatures6 process7 signatures8 51 Multi AV Scanner detection for dropped file 12->51 53 Writes to foreign memory regions 12->53 55 Allocates memory in foreign processes 12->55 57 2 other signatures 12->57 17 InstallUtil.exe 6 12->17         started        21 conhost.exe 15->21         started        23 reg.exe 1 1 15->23         started        process9 dnsIp10 35 fenixalec.ddns.net 185.162.88.26, 20911, 49729, 49730 AS40676US Netherlands 17->35 37 192.168.2.1 unknown unknown 17->37 25 C:\Users\user\AppData\Roaming\...\run.dat, data 17->25 dropped file11

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      PO#4018-308875.pdf.exe15%ReversingLabsWin32.Trojan.Wacatac

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%MetadefenderBrowse
      C:\Users\user\AppData\Local\Temp\InstallUtil.exe0%ReversingLabs
      C:\Users\user\AppData\Roaming\gfrdeswaq.exe15%ReversingLabsWin32.Trojan.Wacatac

      Unpacked PE Files

      SourceDetectionScannerLabelLinkDownload
      25.2.InstallUtil.exe.400000.0.unpack100%AviraTR/Dropper.MSIL.Gen7Download File
      25.2.InstallUtil.exe.5220000.6.unpack100%AviraTR/NanoCore.fadteDownload File

      Domains

      SourceDetectionScannerLabelLink
      fenixalec.ddns.net4%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://ns.ado/Ident0%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      fenixalec.ddns.net
      		185.162.88.26
      		truetrueunknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://ns.ado/IdentPO#4018-308875.pdf.exe, 00000000.00000003.331443931.00000000014C9000.00000004.00000001.sdmpfalse
      • Avira URL Cloud: safe
      		unknown

      Contacted IPs

      • No. of IPs < 25%
      • 25% < No. of IPs < 50%
      • 50% < No. of IPs < 75%
      • 75% < No. of IPs

      Public

      IPDomainCountryFlagASNASN NameMalicious
      185.162.88.26
      		unknownNetherlands
      		40676AS40676UStrue

      Private

      IP
      192.168.2.1

      General Information

      Joe Sandbox Version:31.0.0 Red Diamond
      Analysis ID:341926
      Start date:20.01.2021
      Start time:07:29:15
      Joe Sandbox Product:CloudBasic
      Overall analysis duration:0h 11m 19s
      Hypervisor based Inspection enabled:false
      Report type:light
      Sample file name:PO#4018-308875.pdf.exe
      Cookbook file name:default.jbs
      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
      Number of analysed new started processes analysed:35
      Number of new started drivers analysed:0
      Number of existing processes analysed:0
      Number of existing drivers analysed:0
      Number of injected processes analysed:0
      Technologies:
      • HCA enabled
      • EGA enabled
      • HDC enabled
      • AMSI enabled
      Analysis Mode:default
      Analysis stop reason:Timeout
      Detection:MAL
      Classification:mal100.troj.evad.winEXE@10/5@9/2
      EGA Information:Failed
      HDC Information:
      • Successful, ratio: 0.4% (good quality ratio 0.1%)
      • Quality average: 18.2%
      • Quality standard deviation: 32.6%
      HCA Information:
      • Successful, ratio: 100%
      • Number of executed functions: 0
      • Number of non-executed functions: 0
      Cookbook Comments:
      • Adjust boot time
      • Enable AMSI
      • Found application associated with file extension: .exe
      Warnings:
      Show All
      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
      • TCP Packets have been reduced to 100
      • Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, RuntimeBroker.exe, WMIADAP.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe, wuapihost.exe
      • Excluded IPs from analysis (whitelisted): 104.43.193.48, 40.88.32.150, 51.104.139.180, 92.122.213.247, 92.122.213.194, 51.103.5.186, 20.54.26.129, 52.155.217.156
      • Excluded domains from analysis (whitelisted): displaycatalog-europeeap.md.mp.microsoft.com.akadns.net, client.wns.windows.com, arc.msn.com.nsatc.net, ris-prod.trafficmanager.net, displaycatalog.md.mp.microsoft.com.akadns.net, a1449.dscg2.akamai.net, wns.notify.windows.com.akadns.net, arc.msn.com, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, db5eap.displaycatalog.md.mp.microsoft.com.akadns.net, skypedataprdcoleus15.cloudapp.net, emea1.notify.windows.com.akadns.net, blobcollector.events.data.trafficmanager.net, displaycatalog.mp.microsoft.com, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, par02p.wns.notify.trafficmanager.net
      • Report size exceeded maximum capacity and may have missing behavior information.
      • Report size getting too big, too many NtOpenKeyEx calls found.
      • Report size getting too big, too many NtProtectVirtualMemory calls found.
      • Report size getting too big, too many NtQueryValueKey calls found.
      • Report size getting too big, too many NtReadVirtualMemory calls found.

      Simulations

      Behavior and APIs

      TimeTypeDescription
      07:30:11API Interceptor201x Sleep call for process: PO#4018-308875.pdf.exe modified
      07:30:12AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run olkkmmxxzaa C:\Users\user\AppData\Roaming\gfrdeswaq.exe
      07:30:20AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run olkkmmxxzaa C:\Users\user\AppData\Roaming\gfrdeswaq.exe
      07:31:03API Interceptor200x Sleep call for process: gfrdeswaq.exe modified

      Joe Sandbox View / Context

      IPs

      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
      185.162.88.26MEDUSI492126.pdf.exeGet hashmaliciousBrowse
        silkOrder00110.pdf.exeGet hashmaliciousBrowse
          Order_BC012356.pdf.exeGet hashmaliciousBrowse
            Document#20014464370.pdf.exeGet hashmaliciousBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              fenixalec.ddns.netMEDUSI492126.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26
              silkOrder00110.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26
              Order_BC012356.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26
              Document#20014464370.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              AS40676USUlma9B5jo1.exeGet hashmaliciousBrowse
              • 104.149.57.92
              MEDUSI492126.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26
              Request for Quotation.exeGet hashmaliciousBrowse
              • 45.34.249.53
              silkOrder00110.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26
              Order_BC012356.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26
              Document#20014464370.pdf.exeGet hashmaliciousBrowse
              • 185.162.88.26
              t1XJOlYvhExZyrm.exeGet hashmaliciousBrowse
              • 104.225.208.15
              SWIFT_COPY00993Payment_advic4555pdf.exeGet hashmaliciousBrowse
              • 172.106.111.244
              QN08qH1zYv.exeGet hashmaliciousBrowse
              • 104.149.57.92
              SWIFT-COPY Payment advice3243343.exeGet hashmaliciousBrowse
              • 172.106.111.244
              catalogo TAWI group.exeGet hashmaliciousBrowse
              • 107.160.127.252
              Rfq 214871_TAWI Catalog.exeGet hashmaliciousBrowse
              • 107.160.127.252
              Rfq_Catalog.exeGet hashmaliciousBrowse
              • 107.160.127.252
              NPD76122.exeGet hashmaliciousBrowse
              • 104.217.231.247
              h3dFAROdF3.exeGet hashmaliciousBrowse
              • 104.217.231.248
              d2mISAbTQN.exeGet hashmaliciousBrowse
              • 104.217.231.248
              n41pVXkYCe.exeGet hashmaliciousBrowse
              • 104.217.231.248
              kqwqyoFz1C.exeGet hashmaliciousBrowse
              • 104.217.231.248
              53McmgaUJP.exeGet hashmaliciousBrowse
              • 104.217.231.248
              BsR85tOyjL.exeGet hashmaliciousBrowse
              • 104.217.231.248

              JA3 Fingerprints

              No context

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              C:\Users\user\AppData\Local\Temp\InstallUtil.exeSecuriteInfo.com.Trojan.PackedNET.509.8504.exeGet hashmaliciousBrowse
                IMG_80137.pdf.exeGet hashmaliciousBrowse
                  Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                    MEDUSI492126.pdf.exeGet hashmaliciousBrowse
                      2GNCGUZ6JU.exeGet hashmaliciousBrowse
                        IMG_53771.pdf.exeGet hashmaliciousBrowse
                          SecuriteInfo.com.Generic.mg.fb5363e0cae04979.exeGet hashmaliciousBrowse
                            Ziraat Bankasi Swift Mesaji.exeGet hashmaliciousBrowse
                              silkOrder00110.pdf.exeGet hashmaliciousBrowse
                                74725794.exeGet hashmaliciousBrowse
                                  74725794.exeGet hashmaliciousBrowse
                                    IMG_53091.pdf.exeGet hashmaliciousBrowse
                                      IMG_71103.pdf.exeGet hashmaliciousBrowse
                                        WjIKk3FzeI.exeGet hashmaliciousBrowse
                                          iv2yPzJEMs.exeGet hashmaliciousBrowse
                                            Jb4NE4iWz5.exeGet hashmaliciousBrowse
                                              mmcrkHjIb3.exeGet hashmaliciousBrowse
                                                fkGmyP7ryc.exeGet hashmaliciousBrowse
                                                  product supplies 10589TW.exeGet hashmaliciousBrowse
                                                    IMG_13791.pdf.exeGet hashmaliciousBrowse

                                                      Created / dropped Files

                                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO#4018-308875.pdf.exe.log
                                                      Process:C:\Users\user\Desktop\PO#4018-308875.pdf.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:modified
                                                      Size (bytes):1451
                                                      Entropy (8bit):5.345862727722058
                                                      Encrypted:false
                                                      SSDEEP:24:ML9E4Ks2eE4O1lEE4UVwPKDE4KhK3VZ9pKhuE4IWUAE4KI6no84G1qE4j:MxHKXeHKlEHU0YHKhQnouHIW7HKjovGm
                                                      MD5:06F54CDBFEF62849AF5AE052722BD7B6
                                                      SHA1:FB0250AAC2057D0B5BCE4CE130891E428F28DA05
                                                      SHA-256:4C039B93A728B546F49C47ED8B448D40A3553CDAABB147067AEE3958133CB446
                                                      SHA-512:34EF5F6D5EAB0E5B11AC81F0D72FC56304291EDEEF6D19DF7145FDECAB5D342767DBBC0B4384B8DECB5741E6B85A4B431DF14FBEB5DDF2DEE103064D2895EABB
                                                      Malicious:true
                                                      Reputation:moderate, very likely benign file
                                                      Preview: 1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..3,"PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\PresentationCore\820a27781e8540ca263d835ec155f1a5\PresentationCore.ni.dll",0..3,"PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Presentatio5ae0f00f#\889128adc9a7c9370e5e293f65060164\PresentationFramework.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","C:\Windows\assembly\NativeImages_v4.0.30319_32\Wi
                                                      C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                      Process:C:\Users\user\Desktop\PO#4018-308875.pdf.exe
                                                      File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):41064
                                                      Entropy (8bit):6.164873449128079
                                                      Encrypted:false
                                                      SSDEEP:384:FtpFVLK0MsihB9VKS7xdgE7KJ9Yl6dnPU3SERztmbqCJstdMardz/JikPZ+sPZTd:ZBMs2SqdD86Iq8gZZFyViML3an
                                                      MD5:EFEC8C379D165E3F33B536739AEE26A3
                                                      SHA1:C875908ACBA5CAC1E0B40F06A83F0F156A2640FA
                                                      SHA-256:46DEE184523A584E56DF93389F81992911A1BA6B1F05AD7D803C6AB1450E18CB
                                                      SHA-512:497847EC115D9AF78899E6DC20EC32A60B16954F83CF5169A23DD3F1459CB632DAC95417BD898FD1895C9FE2262FCBF7838FCF6919FB3B851A0557FBE07CCFFA
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: Metadefender, Detection: 0%, Browse
                                                      • Antivirus: ReversingLabs, Detection: 0%
                                                      Joe Sandbox View:
                                                      • Filename: SecuriteInfo.com.Trojan.PackedNET.509.8504.exe, Detection: malicious, Browse
                                                      • Filename: IMG_80137.pdf.exe, Detection: malicious, Browse
                                                      • Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse
                                                      • Filename: MEDUSI492126.pdf.exe, Detection: malicious, Browse
                                                      • Filename: 2GNCGUZ6JU.exe, Detection: malicious, Browse
                                                      • Filename: IMG_53771.pdf.exe, Detection: malicious, Browse
                                                      • Filename: SecuriteInfo.com.Generic.mg.fb5363e0cae04979.exe, Detection: malicious, Browse
                                                      • Filename: Ziraat Bankasi Swift Mesaji.exe, Detection: malicious, Browse
                                                      • Filename: silkOrder00110.pdf.exe, Detection: malicious, Browse
                                                      • Filename: 74725794.exe, Detection: malicious, Browse
                                                      • Filename: 74725794.exe, Detection: malicious, Browse
                                                      • Filename: IMG_53091.pdf.exe, Detection: malicious, Browse
                                                      • Filename: IMG_71103.pdf.exe, Detection: malicious, Browse
                                                      • Filename: WjIKk3FzeI.exe, Detection: malicious, Browse
                                                      • Filename: iv2yPzJEMs.exe, Detection: malicious, Browse
                                                      • Filename: Jb4NE4iWz5.exe, Detection: malicious, Browse
                                                      • Filename: mmcrkHjIb3.exe, Detection: malicious, Browse
                                                      • Filename: fkGmyP7ryc.exe, Detection: malicious, Browse
                                                      • Filename: product supplies 10589TW.exe, Detection: malicious, Browse
                                                      • Filename: IMG_13791.pdf.exe, Detection: malicious, Browse
                                                      Reputation:moderate, very likely benign file
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Z.Z..............0..T...........r... ........@.. ....................................`.................................4r..O....................b..h>...........p............................................... ............... ..H............text....R... ...T.................. ..`.rsrc................V..............@..@.reloc...............`..............@..B................hr......H........"..|J..........lm.......o......................................2~.....o....*.r...p(....*VrK..p(....s.........*..0..........(....(....o....o....(....o.... .....T(....o....(....o....o ...o!....4(....o....(....o....o ...o".....(....rm..ps#...o....($........(%....o&....ry..p......%.r...p.%.(.....(....('....((.......o)...('........*.*................"..(*...*..{Q...-...}Q.....(+...(....(,....(+...*"..(-...*..(....*..(.....r...p.(/...o0...s....}T...*....0.. .......~S...-.s
                                                      C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat
                                                      Process:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):8
                                                      Entropy (8bit):3.0
                                                      Encrypted:false
                                                      SSDEEP:3:I6P:Iq
                                                      MD5:67B9DD027EDDE081BABBBB3F21F38634
                                                      SHA1:8D78824EB573B5241A92587DDA5BE4ABB877C66D
                                                      SHA-256:3A71BB34D6D0B9075ED5F864C16300AF74B34FE99A32A60EC212001830F4F3EC
                                                      SHA-512:6DC3178E91AD6653B0426D950F0E6A2ED52484D61FCC51CD0AF5FBD99EDFA6FFD9E9DE92BA1F4B851440406EBAECFA02CF92CF0F8ADA8ACD17C6C35E363EB6AC
                                                      Malicious:true
                                                      Reputation:low
                                                      Preview: ...zX..H
                                                      C:\Users\user\AppData\Roaming\gfrdeswaq.exe
                                                      Process:C:\Users\user\Desktop\PO#4018-308875.pdf.exe
                                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):783360
                                                      Entropy (8bit):5.789061235197813
                                                      Encrypted:false
                                                      SSDEEP:12288:NAagt50jwcEc6tvHpTkJ23d9ZSn9V9ovGPfiu:N3i08cEc6tvHpAIZSnb+vGXi
                                                      MD5:D90049E2AFF303588E499820E0D9078C
                                                      SHA1:1153F298DB7E6AEED9C3A55C907DFA474AE9155F
                                                      SHA-256:761E77BE2BBF6089F04B1901C44548BD4FF5AC873A74B1CA0E0604BB902EFF22
                                                      SHA-512:0AB4D1CCD24FA3174750B69F929C8DC34334F88941F1708E5EDC2FDB7498636AA0C441BB9BB7E54A1EBB246500DDBFDDBDBCCFD4FE1EC7EE16C14229AF1F9E89
                                                      Malicious:true
                                                      Antivirus:
                                                      • Antivirus: ReversingLabs, Detection: 15%
                                                      Reputation:low
                                                      Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.D\.....................^........... ........@.. .......................@............`.....................................K.......N[................... ....................................................... ............... ..H............text........ ...................... ..`.rsrc...N[.......\..................@..@.reloc....... ......................@..B.......................H........x...:......C....B...6.............................................V.=y.....N..>..y..:..#..1.[....:.........SD8....F.=...6ix..D.J.....{....-.=..g..Y.........p";......}....M.......^.}.1..BX..t.,.|.>.B..v$j.V..v.o<i]s.(.).1.....-\..~..N!%..;v.@.3...?.6u...c".1.3p.^......F.....r..%.o.....L..F.........@[...`.~.......@o.#..P..5.Y....?..s~x.2V....|...z8.r%I.b.....6.....^r.!!......F....+Au...:uxr.;..x.=...xI..@K....uc.$..P.!AS.e.w.D .I....{...I..q/...6...
                                                      C:\Users\user\AppData\Roaming\gfrdeswaq.exe:Zone.Identifier
                                                      Process:C:\Users\user\Desktop\PO#4018-308875.pdf.exe
                                                      File Type:ASCII text, with CRLF line terminators
                                                      Category:dropped
                                                      Size (bytes):26
                                                      Entropy (8bit):3.95006375643621
                                                      Encrypted:false
                                                      SSDEEP:3:ggPYV:rPYV
                                                      MD5:187F488E27DB4AF347237FE461A079AD
                                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                      Malicious:true
                                                      Reputation:high, very likely benign file
                                                      Preview: [ZoneTransfer]....ZoneId=0

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                      Entropy (8bit):5.789061235197813
                                                      TrID:
                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                      • DOS Executable Generic (2002/1) 0.01%
                                                      File name:PO#4018-308875.pdf.exe
                                                      File size:783360
                                                      MD5:d90049e2aff303588e499820e0d9078c
                                                      SHA1:1153f298db7e6aeed9c3a55c907dfa474ae9155f
                                                      SHA256:761e77be2bbf6089f04b1901c44548bd4ff5ac873a74b1ca0e0604bb902eff22
                                                      SHA512:0ab4d1ccd24fa3174750b69f929c8dc34334f88941f1708e5edc2fdb7498636aa0c441bb9bb7e54a1ebb246500ddbfddbdbccfd4fe1ec7ee16c14229af1f9e89
                                                      SSDEEP:12288:NAagt50jwcEc6tvHpTkJ23d9ZSn9V9ovGPfiu:N3i08cEc6tvHpAIZSnb+vGXi
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-.D\.....................^........... ........@.. .......................@............`................................

                                                      File Icon

                                                      Icon Hash:b2718f33292b177e

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x4ab2fe
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:32BIT_MACHINE, EXECUTABLE_IMAGE
                                                      DLL Characteristics:NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT, HIGH_ENTROPY_VA
                                                      Time Stamp:0x5C44F42D [Sun Jan 20 22:20:29 2019 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:v4.0.30319
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                      Entrypoint Preview

                                                      Instruction
                                                      jmp dword ptr [00402000h]
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al
                                                      add byte ptr [eax], al

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xab2b00x4b.text
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xac0000x15b4e.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x20000xa93040xa9400False0.526561923006data5.51757303939IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
                                                      .rsrc0xac0000x15b4e0x15c00False0.631824712644data7.26106977005IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .reloc0xc20000xc0x200False0.041015625data0.0815394123432IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountry
                                                      RT_ICON0xac3700x2e8data
                                                      RT_ICON0xac6580x128GLS_BINARY_LSB_FIRST
                                                      RT_ICON0xac7800xea8data
                                                      RT_ICON0xad6280x8a8data
                                                      RT_ICON0xaded00x568GLS_BINARY_LSB_FIRST
                                                      RT_ICON0xae4380x889fPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
                                                      RT_ICON0xb6cd80x4228dBase IV DBT of \200.DBF, blocks size 0, block length 16896, next free block index 40, next free block 224, next used block 117440512
                                                      RT_ICON0xbaf000x25a8data
                                                      RT_ICON0xbd4a80x1a68data
                                                      RT_ICON0xbef100x10a8data
                                                      RT_ICON0xbffb80x988data
                                                      RT_ICON0xc09400x6b8data
                                                      RT_ICON0xc0ff80x468GLS_BINARY_LSB_FIRST
                                                      RT_GROUP_ICON0xc14600xbcdata
                                                      RT_VERSION0xc151c0x448dataEnglishUnited States
                                                      RT_MANIFEST0xc19640x1eaXML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

                                                      Imports

                                                      DLLImport
                                                      mscoree.dll_CorExeMain

                                                      Version Infos

                                                      DescriptionData
                                                      LegalCopyrightCopyright 2020 Maxthon Ltd. All rights reserved.
                                                      InternalNamemini_installer
                                                      CompanyShortNameMaxthon Ltd.
                                                      FileVersion6.1.0.2000
                                                      CompanyNameMaxthon Ltd.
                                                      ProductShortNameMaxthon Installer
                                                      ProductNameMaxthon Installer
                                                      LastChange94abc2237ae0c9a4cb5f035431c8adfb94324633-refs/branch-heads/4183@{#1658}
                                                      ProductVersion6.1.0.2000
                                                      FileDescriptionMaxthon Installer
                                                      Official Build1
                                                      Translation0x0409 0x04b0

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States

                                                      Network Behavior

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 20, 2021 07:31:39.854502916 CET4972920911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:39.905483007 CET2091149729185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:40.408859015 CET4972920911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:40.459676027 CET2091149729185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:40.971297979 CET4972920911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:41.021905899 CET2091149729185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:45.101613045 CET4973020911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:45.152352095 CET2091149730185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:45.659298897 CET4973020911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:45.709918976 CET2091149730185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:46.221895933 CET4973020911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:46.272509098 CET2091149730185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:50.286111116 CET4973120911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:50.336662054 CET2091149731185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:50.847104073 CET4973120911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:50.897509098 CET2091149731185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:51.409755945 CET4973120911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:51.460391998 CET2091149731185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:55.742108107 CET4973220911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:55.792807102 CET2091149732185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:56.300697088 CET4973220911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:56.351223946 CET2091149732185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:31:56.863302946 CET4973220911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:31:56.914103985 CET2091149732185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:00.993782043 CET4973320911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:01.044477940 CET2091149733185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:01.551114082 CET4973320911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:01.601830006 CET2091149733185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:02.113833904 CET4973320911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:02.164552927 CET2091149733185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:06.242758989 CET4973420911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:06.293401957 CET2091149734185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:06.801650047 CET4973420911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:06.852528095 CET2091149734185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:07.364125967 CET4973420911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:07.414671898 CET2091149734185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:11.428158998 CET4973520911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:11.478652000 CET2091149735185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:11.989595890 CET4973520911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:12.040324926 CET2091149735185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:12.552088976 CET4973520911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:12.602437019 CET2091149735185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:16.616096973 CET4973620911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:16.666659117 CET2091149736185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:17.177428007 CET4973620911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:17.228347063 CET2091149736185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:17.740000010 CET4973620911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:17.790555000 CET2091149736185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:21.806370974 CET4973720911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:21.857095957 CET2091149737185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:22.365370035 CET4973720911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:22.416100025 CET2091149737185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:22.927898884 CET4973720911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:22.978466034 CET2091149737185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:27.107625961 CET4973820911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:27.158226967 CET2091149738185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:27.662640095 CET4973820911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:27.713306904 CET2091149738185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:28.225193977 CET4973820911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:28.275882006 CET2091149738185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:32.402971983 CET4973920911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:32.453649998 CET2091149739185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:32.961524963 CET4973920911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:33.012324095 CET2091149739185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:33.522510052 CET4973920911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:33.573262930 CET2091149739185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:37.712385893 CET4974020911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:37.763009071 CET2091149740185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:38.302246094 CET4974020911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:38.352889061 CET2091149740185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:38.992669106 CET4974020911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:39.043415070 CET2091149740185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:43.051678896 CET4974620911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:43.102233887 CET2091149746185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:43.608247995 CET4974620911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:43.658893108 CET2091149746185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:44.170759916 CET4974620911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:44.221250057 CET2091149746185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:48.235095024 CET4975220911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:48.285700083 CET2091149752185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:48.796133995 CET4975220911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:48.846766949 CET2091149752185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:49.358694077 CET4975220911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:49.409111977 CET2091149752185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:53.422578096 CET4975320911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:53.473304987 CET2091149753185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:53.984086990 CET4975320911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:54.034677029 CET2091149753185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:54.546641111 CET4975320911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:54.597167969 CET2091149753185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:58.883698940 CET4975420911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:58.934469938 CET2091149754185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:32:59.437683105 CET4975420911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:32:59.488444090 CET2091149754185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:33:00.000999928 CET4975420911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:33:00.051909924 CET2091149754185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:33:04.554666996 CET4975520911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:33:04.605324984 CET2091149755185.162.88.26192.168.2.5
                                                      Jan 20, 2021 07:33:05.110050917 CET4975520911192.168.2.5185.162.88.26
                                                      Jan 20, 2021 07:33:05.160808086 CET2091149755185.162.88.26192.168.2.5

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Jan 20, 2021 07:30:00.328669071 CET5959653192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:00.387139082 CET53595968.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:01.378868103 CET6529653192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:01.429608107 CET53652968.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:02.159115076 CET6318353192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:02.207123995 CET53631838.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:03.067598104 CET6015153192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:03.115561008 CET53601518.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:15.570496082 CET5696953192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:15.618387938 CET53569698.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:16.518938065 CET5516153192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:16.577927113 CET53551618.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:30.826376915 CET5475753192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:30.875653028 CET53547578.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:36.568918943 CET4999253192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:36.629512072 CET53499928.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:49.575465918 CET6007553192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:49.626271963 CET53600758.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:50.580446005 CET5501653192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:50.644397020 CET53550168.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:30:53.665081978 CET6434553192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:30:53.721483946 CET53643458.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:31:27.587776899 CET5712853192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:31:27.635565996 CET53571288.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:31:55.679936886 CET5479153192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:31:55.738428116 CET53547918.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:00.930579901 CET5046353192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:00.991537094 CET53504638.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:06.184623957 CET5039453192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:06.241209984 CET53503948.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:27.046736956 CET5853053192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:27.105943918 CET53585308.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:32.341784000 CET5381353192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:32.401135921 CET53538138.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:37.644326925 CET6373253192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:37.700372934 CET53637328.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:39.441392899 CET5734453192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:39.492288113 CET53573448.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:40.285835981 CET5445053192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:40.342093945 CET53544508.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:41.056921959 CET5926153192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:41.115889072 CET53592618.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:41.594192982 CET5715153192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:41.650599957 CET53571518.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:42.263398886 CET5941353192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:42.319693089 CET53594138.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:43.092466116 CET6051653192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:43.140361071 CET53605168.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:43.907529116 CET5164953192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:43.963603973 CET53516498.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:45.203284025 CET6508653192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:45.251498938 CET53650868.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:46.543776035 CET5643253192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:46.591660976 CET53564328.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:48.046406984 CET5292953192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:48.094095945 CET53529298.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:32:58.664227962 CET6431753192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:32:58.720607042 CET53643178.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:33:04.489262104 CET6100453192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:33:04.547322035 CET53610048.8.8.8192.168.2.5
                                                      Jan 20, 2021 07:33:09.955523014 CET5689553192.168.2.58.8.8.8
                                                      Jan 20, 2021 07:33:10.016967058 CET53568958.8.8.8192.168.2.5

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                      Jan 20, 2021 07:31:55.679936886 CET192.168.2.58.8.8.80xe915Standard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:00.930579901 CET192.168.2.58.8.8.80x85beStandard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:06.184623957 CET192.168.2.58.8.8.80xc998Standard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:27.046736956 CET192.168.2.58.8.8.80xcce3Standard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:32.341784000 CET192.168.2.58.8.8.80xa8b6Standard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:37.644326925 CET192.168.2.58.8.8.80xa38cStandard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:58.664227962 CET192.168.2.58.8.8.80x60c2Standard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:33:04.489262104 CET192.168.2.58.8.8.80x1fd9Standard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:33:09.955523014 CET192.168.2.58.8.8.80x96aaStandard query (0)fenixalec.ddns.netA (IP address)IN (0x0001)

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                      Jan 20, 2021 07:31:55.738428116 CET8.8.8.8192.168.2.50xe915No error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:00.991537094 CET8.8.8.8192.168.2.50x85beNo error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:06.241209984 CET8.8.8.8192.168.2.50xc998No error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:27.105943918 CET8.8.8.8192.168.2.50xcce3No error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:32.401135921 CET8.8.8.8192.168.2.50xa8b6No error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:37.700372934 CET8.8.8.8192.168.2.50xa38cNo error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:32:58.720607042 CET8.8.8.8192.168.2.50x60c2No error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:33:04.547322035 CET8.8.8.8192.168.2.50x1fd9No error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)
                                                      Jan 20, 2021 07:33:10.016967058 CET8.8.8.8192.168.2.50x96aaNo error (0)fenixalec.ddns.net185.162.88.26A (IP address)IN (0x0001)

                                                      Code Manipulations

                                                      Statistics

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      Analysis Process: PO#4018-308875.pdf.exe PID: 6080 Parent PID: 5628

                                                      General

                                                      Start time:07:30:05
                                                      Start date:20/01/2021
                                                      Path:C:\Users\user\Desktop\PO#4018-308875.pdf.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\Desktop\PO#4018-308875.pdf.exe'
                                                      Imagebase:0x9d0000
                                                      File size:783360 bytes
                                                      MD5 hash:D90049E2AFF303588E499820E0D9078C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000000.00000002.337437485.0000000004734000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Reputation:low

                                                      Analysis Process: cmd.exe PID: 5444 Parent PID: 6080

                                                      General

                                                      Start time:07:30:09
                                                      Start date:20/01/2021
                                                      Path:C:\Windows\SysWOW64\cmd.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'cmd.exe' /c REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
                                                      Imagebase:0x150000
                                                      File size:232960 bytes
                                                      MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: conhost.exe PID: 5952 Parent PID: 5444

                                                      General

                                                      Start time:07:30:10
                                                      Start date:20/01/2021
                                                      Path:C:\Windows\System32\conhost.exe
                                                      Wow64 process (32bit):false
                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                      Imagebase:0x7ff7ecfc0000
                                                      File size:625664 bytes
                                                      MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: reg.exe PID: 4636 Parent PID: 5444

                                                      General

                                                      Start time:07:30:10
                                                      Start date:20/01/2021
                                                      Path:C:\Windows\SysWOW64\reg.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:REG ADD 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run' /f /v 'olkkmmxxzaa' /t REG_SZ /d 'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
                                                      Imagebase:0x1320000
                                                      File size:59392 bytes
                                                      MD5 hash:CEE2A7E57DF2A159A065A34913A055C2
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Reputation:high

                                                      Analysis Process: gfrdeswaq.exe PID: 6764 Parent PID: 6080

                                                      General

                                                      Start time:07:30:55
                                                      Start date:20/01/2021
                                                      Path:C:\Users\user\AppData\Roaming\gfrdeswaq.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:'C:\Users\user\AppData\Roaming\gfrdeswaq.exe'
                                                      Imagebase:0xe50000
                                                      File size:783360 bytes
                                                      MD5 hash:D90049E2AFF303588E499820E0D9078C
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.627989417.0000000004C62000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000014.00000002.627812499.0000000004BCF000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Antivirus matches:
                                                      • Detection: 15%, ReversingLabs
                                                      Reputation:low

                                                      Analysis Process: InstallUtil.exe PID: 6280 Parent PID: 6764

                                                      General

                                                      Start time:07:31:33
                                                      Start date:20/01/2021
                                                      Path:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:C:\Users\user\AppData\Local\Temp\InstallUtil.exe
                                                      Imagebase:0x500000
                                                      File size:41064 bytes
                                                      MD5 hash:EFEC8C379D165E3F33B536739AEE26A3
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:.Net C# or VB.NET
                                                      Yara matches:
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.618309984.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000019.00000002.628566138.0000000005010000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.621682158.0000000002971000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, Author: Florian Roth
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.628917829.0000000005220000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, Author: Joe Security
                                                      • Rule: NanoCore, Description: unknown, Source: 00000019.00000002.625511486.00000000039B9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
                                                      Antivirus matches:
                                                      • Detection: 0%, Metadefender, Browse
                                                      • Detection: 0%, ReversingLabs
                                                      Reputation:moderate

                                                      Disassembly

                                                      Code Analysis

                                                      Reset < >