Analysis Report LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe

Overview

General Information

Sample Name:	LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Analysis ID:	355833
MD5:	988bbc4bf9b82be5dfa915ecb1b63c49
SHA1:	c4a75851e915e5072a9ec720139a7693f3819f84
SHA256:	9af6ee7679b5e12c34b0530a2b7639c65b1ff8449930ed9a6156338a2eebbb98
Tags:	exeNanoCoreRAT
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Binary contains a suspicious time stamp

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Abnormal high CPU Usage

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Creates processes with suspicious names

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Found malware configuration

Source: 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "c4cca249-81f6-4232-9f14-01569e09f5f0", "Group": "JANUARY", "Domain1": "shahzad73.casacam.net", "Domain2": "shahzad73.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\FOvTZkul.exe

ReversingLabs: Detection: 12%

Multi AV Scanner detection for submitted file

Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe

ReversingLabs: Detection: 12%

Yara detected Nanocore RAT

Source: Yara match	File source: 00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.493487439.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.280044415.0000000004209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.281405044.00000000046F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.352145184.0000000003859000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.488637501.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.370366843.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 1236, type: MEMORY
Source: Yara match	File source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6336, type: MEMORY
Source: Yara match	File source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6908, type: MEMORY
Source: Yara match	File source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea4c4d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3a413e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\FOvTZkul.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49721 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49722 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49723 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49730 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49731 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49732 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49738 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49739 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49740 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49741 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49742 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49744 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49745 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49746 -> 91.212.153.84:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.5:49749 -> 91.212.153.84:9036

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: shahzad73.ddns.net
Source: Malware configuration extractor	URLs: shahzad73.casacam.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.5:49721 -> 91.212.153.84:9036

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 91.212.153.84 91.212.153.84

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: MYLOC-ASIPBackboneofmyLocmanagedITAGDE MYLOC-ASIPBackboneofmyLocmanagedITAGDE

Source: unknown

DNS traffic detected: queries for: shahzad73.casacam.net

Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.279958013.0000000003201000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.349317167.0000000002851000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.285862518.00000000072A2000.00000004.00000001.sdmp, LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.354228123.0000000005710000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a DirectInput object (often for capturing keystrokes)

Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.279627168.000000000147B000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Installs a raw input device (often for capturing keystrokes)

Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Source: Yara match	File source: 00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.493487439.0000000002DC1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.280044415.0000000004209000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.281405044.00000000046F7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.352145184.0000000003859000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.488637501.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.370366843.0000000002E51000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 1236, type: MEMORY
Source: Yara match	File source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6336, type: MEMORY
Source: Yara match	File source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6908, type: MEMORY
Source: Yara match	File source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea4c4d.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3a413e8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.280044415.0000000004209000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.280044415.0000000004209000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.281405044.00000000046F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.281405044.00000000046F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000F.00000002.352145184.0000000003859000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000F.00000002.352145184.0000000003859000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.488637501.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.488637501.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000015.00000002.370366843.0000000002E51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 1236, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 1236, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6336, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6336, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6908, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6908, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.2decaf8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea4c4d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.2eb9820.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3a413e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3a413e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth

Initial sample is a PE file and has a suspicious name

Source: initial sample

Static PE information: Filename: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe

Abnormal high CPU Usage

Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe

Process Stats: CPU usage > 98%

Detected potential crypto function

Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 0_2_0172F470	0_2_0172F470
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 0_2_0172F460	0_2_0172F460
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 0_2_0172D4FC	0_2_0172D4FC
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 0_2_056D1535	0_2_056D1535
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 7_2_012FE471	7_2_012FE471
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 7_2_012FE480	7_2_012FE480
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 7_2_012FBBD4	7_2_012FBBD4
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 15_2_068B3EF4	15_2_068B3EF4
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 15_2_068B0200	15_2_068B0200
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 15_2_068B3A70	15_2_068B3A70
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 15_2_068B01F0	15_2_068B01F0
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 15_2_068B6F77	15_2_068B6F77
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 21_2_0130E471	21_2_0130E471
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 21_2_0130E480	21_2_0130E480
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 21_2_0130BBD4	21_2_0130BBD4

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Yara signature match

Source: 00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.280044415.0000000004209000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.280044415.0000000004209000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.281405044.00000000046F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.281405044.00000000046F7000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000F.00000002.352145184.0000000003859000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000F.00000002.352145184.0000000003859000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.488637501.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.488637501.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000015.00000002.370366843.0000000002E51000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 1236, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 1236, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6336, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6336, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6908, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe PID: 6908, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3e9b7ee.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.2decaf8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.2decaf8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea4c4d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea4c4d.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.4729f40.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3988c08.1.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.2eb9820.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.2eb9820.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3a413e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 15.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3a413e8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.3ea0624.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: FOvTZkul.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/10@15/2

Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe

File created: C:\Users\user\AppData\Roaming\FOvTZkul.exe

Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.288486730.0000000009030000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.279627168.000000000147B000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.288762334.00000000096F0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.288762334.00000000096F0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000000.222149206.0000000000D40000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000007.00000002.493487439.0000000002DC1000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000007.00000002.489676838.0000000000A70000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000007.00000003.299491725.00000000065FD000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000000.291317278.0000000000480000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.356753641.0000000008720000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 0000000F.00000002.356277146.0000000006810000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameBunifu.UI.dll4 vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000014.00000002.344932562.00000000000C0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000015.00000000.346222068.00000000009E0000.00000002.00020000.sdmp	Binary or memory string: OriginalFilename vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Binary or memory string: OriginalFilename vs LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5928:120:WilError_01
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{c4cca249-81f6-4232-9f14-01569e09f5f0}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_01
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Mutant created: \Sessions\1\BaseNamedObjects\WjOJCroITQdUbvUa

Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll	Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe 'C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FOvTZkul' /XML 'C:\Users\user\AppData\Local\Temp\tmp9968.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4916.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe 'C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe' 0
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FOvTZkul' /XML 'C:\Users\user\AppData\Local\Temp\tmpA04.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe {path}
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FOvTZkul' /XML 'C:\Users\user\AppData\Local\Temp\tmp9968.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp4916.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\FOvTZkul' /XML 'C:\Users\user\AppData\Local\Temp\tmpA04.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe {path}	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process created: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe {path}	Jump to behavior

Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 0_2_00CA758F push ss; retf	0_2_00CA7592
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 0_2_00CA6C8D push cs; ret	0_2_00CA6CEE
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 0_2_00CA6CF3 push es; ret	0_2_00CA6CF4
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 0_2_0172E520 push esp; retf	0_2_0172E521
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 7_2_009D6C8D push cs; ret	7_2_009D6CEE
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 7_2_009D758F push ss; retf	7_2_009D7592
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 7_2_009D6CF3 push es; ret	7_2_009D6CF4
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 15_2_003E6CF3 push es; ret	15_2_003E6CF4
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 15_2_003E758F push ss; retf	15_2_003E7592
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 15_2_003E6C8D push cs; ret	15_2_003E6CEE
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 20_2_0002758F push ss; retf	20_2_00027592
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 20_2_00026C8D push cs; ret	20_2_00026CEE
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 20_2_00026CF3 push es; ret	20_2_00026CF4
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 21_2_00946C8D push cs; ret	21_2_00946CEE
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 21_2_0094758F push ss; retf	21_2_00947592
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Code function: 21_2_00946CF3 push es; ret	21_2_00946CF4

Source: initial sample	Static PE information: section name: .text entropy: 7.95337285484
Source: initial sample	Static PE information: section name: .text entropy: 7.95337285484

Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 7.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 21.2.LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	File created: \list of delisted agencies 22nd feb 2021.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	File created: \list of delisted agencies 22nd feb 2021.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	File created: \list of delisted agencies 22nd feb 2021.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	File created: \list of delisted agencies 22nd feb 2021.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	File created: \list of delisted agencies 22nd feb 2021.pdf.exe	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	File created: \list of delisted agencies 22nd feb 2021.pdf.exe	Jump to behavior

Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Window / User API: threadDelayed 7129	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Window / User API: threadDelayed 1576	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Window / User API: foregroundWindowGot 612	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Window / User API: foregroundWindowGot 663	Jump to behavior

Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe TID: 6364	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe TID: 6136	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe TID: 1860	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe TID: 5584	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Process token adjusted: Debug	Jump to behavior

Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Memory written: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe base: 400000 value starts with: 4D5A			Jump to behavior
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Memory written: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe base: 400000 value starts with: 4D5A			Jump to behavior

Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000007.00000002.493236016.00000000017D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000007.00000002.493236016.00000000017D0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000007.00000002.493236016.00000000017D0000.00000002.00000001.sdmp	Binary or memory string: SProgram Managerl
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000007.00000002.493236016.00000000017D0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd,
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000007.00000002.493236016.00000000017D0000.00000002.00000001.sdmp	Binary or memory string: Progmanlock

Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000000.00000002.281405044.00000000046F7000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000007.00000002.493487439.0000000002DC1000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000007.00000002.493487439.0000000002DC1000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000015.00000002.365342774.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe, 00000015.00000002.370926802.0000000003E59000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Name	Malicious	Antivirus Detection	Reputation
shahzad73.ddns.net	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
shahzad73.casacam.net	true	5%, Virustotal, Browse Avira URL Cloud: safe	unknown

Analysis Report LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

ID:	355833
Product:	CloudBasic
Start time:	07:41:00
Start date:	22.02.2021
Sample:	LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe
Cookbook:	default.jbs
System description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Architecture:	WINDOWS
MD5:	988bbc4bf9b82be5dfa915ecb1b63c49
SHA1:	c4a75851e915e5072a9ec720139a7693f3819f84
SHA256:	9af6ee7679b5e12c34b0530a2b7639c65b1ff8449930ed9a6156338a2eebbb98
Filetype:	Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe.log	ASCII text, with CRLF line terminators	FED34146BF2F2FA59DCF8702FCC8232E	B03BFEA175989D989850CF06FE5E7BBF56EAA00A	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
C:\Users\user\AppData\Local\Temp\tmp4916.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	0A5E79234918A9DC7421157353741D7B	BC266069355067D7392BF79C3D00247E9F087372	7F9B2BC813F0CA561A2CDFF31637BA263F485678E010B3B826852D84D86DB505
C:\Users\user\AppData\Local\Temp\tmp9968.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	2D032EADAECDA4DB625CF30C2002F552	3C1EE0FB3F3C69F04EE725902FE767B0690E3BC5	334E776DB8114F5D9354856A0827C69578508F04895770BF295844EBD3C26DCD
C:\Users\user\AppData\Local\Temp\tmpA04.tmp	XML 1.0 document, ASCII text, with CRLF line terminators	2D032EADAECDA4DB625CF30C2002F552	3C1EE0FB3F3C69F04EE725902FE767B0690E3BC5	334E776DB8114F5D9354856A0827C69578508F04895770BF295844EBD3C26DCD
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat	data	30D23CC577A89146961915B57F408623	9B5709D6081D8E0A570511E6E0AAE96FA041964F	E2130A72E55193D402B5F43F7F3584ECF6B423F8EC4B1B1B69AD693C7E0E5A9E
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat	ISO-8859 text, with no line terminators	70B0C2A7A87AC6FFCA5455CE1469ADD8	9C5A4BE670B5898E11ABB80D9722FC69E2B7B331	E3A50A2FC5598850A582C70D5279C0A9337109C279815754C74C76A559893F05
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin	data	4E5E92E2369688041CC82EF9650EDED2	15E44F2F3194EE232B44E9684163B6F66472C862	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat	data	2E52F446105FBF828E63CF808B721F9C	5330E54F238F46DC04C1AC62B051DB4FCD7416FB	2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat	ASCII text, with no line terminators	43AA8380E32959A51180B7AEA3859F9E	203641DD6CCD8889539BF48008CCFDADBC113800	83A8A0F122EC075D3E7989A32EF07461900ACAB91FCAED30A4F532203229DE96
C:\Users\user\AppData\Roaming\FOvTZkul.exe	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows	988BBC4BF9B82BE5DFA915ECB1B63C49	C4A75851E915E5072A9EC720139A7693F3819F84	9AF6EE7679B5E12C34B0530A2B7639C65B1FF8449930ED9A6156338A2EEBBB98