Play interactive tour

Edit tour

Analysis Report Items_02559-02663.pdf.exe

Overview

General Information

Sample Name:	Items_02559-02663.pdf.exe
Analysis ID:	357332
MD5:	69b99b73945755df4628529e5a1bf6f8
SHA1:	0b4a98cf7c2cf5f1fb3480736a602ebe4bbb9746
SHA256:	0a31dde9dd611de5afef82eac6581588c5d8b034106a1f4eac68958b8bd526c2
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Sigma detected: Suspicious Double Extension

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Hides that the sample has been downloaded from the Internet (zone.identifier)

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Machine Learning detection for dropped file

Machine Learning detection for sample

Uses an obfuscated file name to hide its real file extension (double extension)

Uses schtasks.exe or at.exe to add and modify task schedules

Antivirus or Machine Learning detection for unpacked file

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains capabilities to detect virtual machines

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

Items_02559-02663.pdf.exe (PID: 1680 cmdline: 'C:\Users\user\Desktop\Items_02559-02663.pdf.exe' MD5: 69B99B73945755DF4628529E5A1BF6F8)

schtasks.exe (PID: 1900 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 3220 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Items_02559-02663.pdf.exe (PID: 2920 cmdline: {path} MD5: 69B99B73945755DF4628529E5A1BF6F8)

Items_02559-02663.pdf.exe (PID: 1440 cmdline: {path} MD5: 69B99B73945755DF4628529E5A1BF6F8)

schtasks.exe (PID: 5716 cmdline: 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 2860 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Items_02559-02663.pdf.exe (PID: 472 cmdline: C:\Users\user\Desktop\Items_02559-02663.pdf.exe 0 MD5: 69B99B73945755DF4628529E5A1BF6F8)

schtasks.exe (PID: 5688 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA1E.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 5912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

Items_02559-02663.pdf.exe (PID: 5880 cmdline: {path} MD5: 69B99B73945755DF4628529E5A1BF6F8)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "063b6e17-4321-4269-bf57-df94b570da06", "Group": "GIFT", "Domain1": "wilsonzz.webredirect.org", "Domain2": "thanks001.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n  <RegistrationInfo />\r\n  <Triggers />\r\n  <Principals>\r\n    <Principal id=\"Author\">\r\n      <LogonType>InteractiveToken</LogonType>\r\n      <RunLevel>HighestAvailable</RunLevel>\r\n    </Principal>\r\n  </Principals>\r\n  <Settings>\r\n    <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n    <AllowHardTerminate>true</AllowHardTerminate>\r\n    <StartWhenAvailable>false</StartWhenAvailable>\r\n    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n    <IdleSettings>\r\n      <StopOnIdleEnd>false</StopOnIdleEnd>\r\n      <RestartOnIdle>false</RestartOnIdle>\r\n    </IdleSettings>\r\n    <AllowStartOnDemand>true</AllowStartOnDemand>\r\n    <Enabled>true</Enabled>\r\n    <Hidden>false</Hidden>\r\n    <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n    <WakeToRun>false</WakeToRun>\r\n    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n    <Priority>4</Priority>\r\n  </Settings>\r\n  <Actions Context=\"Author\">\r\n    <Exec>\r\n      <Command>\"#EXECUTABLEPATH\"</Command>\r\n      <Arguments>$(Arg0)</Arguments>\r\n    </Exec>\r\n  </Actions>\r\n</Task"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1085d:$x1: NanoCore.ClientPluginHost 0xff29d:$x1: NanoCore.ClientPluginHost 0x1089a:$x2: IClientNetworkHost 0xff2da:$x2: IClientNetworkHost 0x143cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x102e0d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x105c5:$a: NanoCore 0x105d5:$a: NanoCore 0x10809:$a: NanoCore 0x1081d:$a: NanoCore 0x1085d:$a: NanoCore 0xff005:$a: NanoCore 0xff015:$a: NanoCore 0xff249:$a: NanoCore 0xff25d:$a: NanoCore 0xff29d:$a: NanoCore 0x10624:$b: ClientPlugin 0x10826:$b: ClientPlugin 0x10866:$b: ClientPlugin 0xff064:$b: ClientPlugin 0xff266:$b: ClientPlugin 0xff2a6:$b: ClientPlugin 0x1074b:$c: ProjectData 0xff18b:$c: ProjectData 0x11152:$d: DESCrypto 0xffb92:$d: DESCrypto 0x18b1e:$e: KeepAlive
0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x435d5:$a: NanoCore 0x4362e:$a: NanoCore 0x4366b:$a: NanoCore 0x436e4:$a: NanoCore 0x56d8f:$a: NanoCore 0x56da4:$a: NanoCore 0x56dd9:$a: NanoCore 0x6fd83:$a: NanoCore 0x6fd98:$a: NanoCore 0x6fdcd:$a: NanoCore 0x43637:$b: ClientPlugin 0x43674:$b: ClientPlugin 0x43f72:$b: ClientPlugin 0x43f7f:$b: ClientPlugin 0x56b4b:$b: ClientPlugin 0x56b66:$b: ClientPlugin 0x56b96:$b: ClientPlugin 0x56dad:$b: ClientPlugin 0x56de2:$b: ClientPlugin 0x6fb3f:$b: ClientPlugin 0x6fb5a:$b: ClientPlugin
00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x5e6b3:$a: NanoCore 0x5e70c:$a: NanoCore 0x5e749:$a: NanoCore 0x5e7c2:$a: NanoCore 0x86cc6:$a: NanoCore 0x86ceb:$a: NanoCore 0x86d44:$a: NanoCore 0x98f87:$a: NanoCore 0x98fad:$a: NanoCore 0x99009:$a: NanoCore 0xa5e6f:$a: NanoCore 0xa5ec8:$a: NanoCore 0xa5efb:$a: NanoCore 0xa6127:$a: NanoCore 0xa61a3:$a: NanoCore 0xa67bc:$a: NanoCore 0xa6905:$a: NanoCore 0xa6dd9:$a: NanoCore 0xa70c0:$a: NanoCore 0xa70d7:$a: NanoCore 0xaff87:$a: NanoCore
0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x69407:$a: NanoCore 0x69460:$a: NanoCore 0x6949d:$a: NanoCore 0x69516:$a: NanoCore 0x69469:$b: ClientPlugin 0x694a6:$b: ClientPlugin 0x69da4:$b: ClientPlugin 0x69db1:$b: ClientPlugin 0x5f58a:$e: KeepAlive 0x698f1:$g: LogClientMessage 0x69871:$i: get_Connected 0x5983d:$j: #=q 0x5986d:$j: #=q 0x598a9:$j: #=q 0x598d1:$j: #=q 0x59901:$j: #=q 0x59931:$j: #=q 0x59961:$j: #=q 0x59991:$j: #=q 0x599ad:$j: #=q 0x599dd:$j: #=q
00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1085d:$x1: NanoCore.ClientPluginHost 0x4327d:$x1: NanoCore.ClientPluginHost 0x1089a:$x2: IClientNetworkHost 0x432ba:$x2: IClientNetworkHost 0x143cd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x46ded:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x105c5:$a: NanoCore 0x105d5:$a: NanoCore 0x10809:$a: NanoCore 0x1081d:$a: NanoCore 0x1085d:$a: NanoCore 0x42fe5:$a: NanoCore 0x42ff5:$a: NanoCore 0x43229:$a: NanoCore 0x4323d:$a: NanoCore 0x4327d:$a: NanoCore 0x10624:$b: ClientPlugin 0x10826:$b: ClientPlugin 0x10866:$b: ClientPlugin 0x43044:$b: ClientPlugin 0x43246:$b: ClientPlugin 0x43286:$b: ClientPlugin 0x1074b:$c: ProjectData 0x4316b:$c: ProjectData 0x11152:$d: DESCrypto 0x43b72:$d: DESCrypto 0x18b1e:$e: KeepAlive
Process Memory Space: Items_02559-02663.pdf.exe PID: 1440	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4ac92:$x1: NanoCore.ClientPluginHost 0x1bceb8:$x1: NanoCore.ClientPluginHost 0x1cc0da:$x1: NanoCore.ClientPluginHost 0x1d7dcc:$x1: NanoCore.ClientPluginHost 0x1ea95f:$x1: NanoCore.ClientPluginHost 0x1ed9af:$x1: NanoCore.ClientPluginHost 0x1f2a0e:$x1: NanoCore.ClientPluginHost 0x1f4d76:$x1: NanoCore.ClientPluginHost 0x1f8dc9:$x1: NanoCore.ClientPluginHost 0x1fff80:$x1: NanoCore.ClientPluginHost 0x204ddb:$x1: NanoCore.ClientPluginHost 0x2115cc:$x1: NanoCore.ClientPluginHost 0x2186f3:$x1: NanoCore.ClientPluginHost 0x3cd65e:$x1: NanoCore.ClientPluginHost 0x4acf3:$x2: IClientNetworkHost 0x1bcede:$x2: IClientNetworkHost 0x1cc11c:$x2: IClientNetworkHost 0x1d7e11:$x2: IClientNetworkHost 0x1ea9bc:$x2: IClientNetworkHost 0x1eda0c:$x2: IClientNetworkHost 0x1f4dd3:$x2: IClientNetworkHost
Process Memory Space: Items_02559-02663.pdf.exe PID: 1440	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Items_02559-02663.pdf.exe PID: 1440	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xc747:$a: NanoCore 0xc764:$a: NanoCore 0xc930:$a: NanoCore 0x4a797:$a: NanoCore 0x4a7b3:$a: NanoCore 0x4a90e:$a: NanoCore 0x4a91d:$a: NanoCore 0x4abf6:$a: NanoCore 0x4ac22:$a: NanoCore 0x4ac92:$a: NanoCore 0x5a6d4:$a: NanoCore 0x5a6e6:$a: NanoCore 0x5a722:$a: NanoCore 0xa7395:$a: NanoCore 0x13c849:$a: NanoCore 0x13c869:$a: NanoCore 0x195b6c:$a: NanoCore 0x195bd3:$a: NanoCore 0x195c76:$a: NanoCore 0x1bcdaa:$a: NanoCore 0x1bce4b:$a: NanoCore
Process Memory Space: Items_02559-02663.pdf.exe PID: 472	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2d4ed7:$x1: NanoCore.ClientPluginHost 0x2f3766:$x1: NanoCore.ClientPluginHost 0x2d4f38:$x2: IClientNetworkHost 0x2f37c7:$x2: IClientNetworkHost 0x2da33d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2e82af:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x2f8bcc:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x306b3e:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Items_02559-02663.pdf.exe PID: 472	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Items_02559-02663.pdf.exe PID: 472	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2d49dc:$a: NanoCore 0x2d49f8:$a: NanoCore 0x2d4b53:$a: NanoCore 0x2d4b62:$a: NanoCore 0x2d4e3b:$a: NanoCore 0x2d4e67:$a: NanoCore 0x2d4ed7:$a: NanoCore 0x2e4919:$a: NanoCore 0x2e492b:$a: NanoCore 0x2e4967:$a: NanoCore 0x2f326b:$a: NanoCore 0x2f3287:$a: NanoCore 0x2f33e2:$a: NanoCore 0x2f33f1:$a: NanoCore 0x2f36ca:$a: NanoCore 0x2f36f6:$a: NanoCore 0x2f3766:$a: NanoCore 0x3031a8:$a: NanoCore 0x3031ba:$a: NanoCore 0x3031f6:$a: NanoCore 0x2d4a83:$b: ClientPlugin
Process Memory Space: Items_02559-02663.pdf.exe PID: 5880	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8879:$x1: NanoCore.ClientPluginHost 0x313a4:$x1: NanoCore.ClientPluginHost 0x36f63:$x1: NanoCore.ClientPluginHost 0x48301:$x1: NanoCore.ClientPluginHost 0x80589:$x1: NanoCore.ClientPluginHost 0x88da:$x2: IClientNetworkHost 0x313ca:$x2: IClientNetworkHost 0x36fa8:$x2: IClientNetworkHost 0x48346:$x2: IClientNetworkHost 0x805af:$x2: IClientNetworkHost 0xdcdf:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x1bc51:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: Items_02559-02663.pdf.exe PID: 5880	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: Items_02559-02663.pdf.exe PID: 5880	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x6762:$a: NanoCore 0x837e:$a: NanoCore 0x839a:$a: NanoCore 0x84f5:$a: NanoCore 0x8504:$a: NanoCore 0x87dd:$a: NanoCore 0x8809:$a: NanoCore 0x8879:$a: NanoCore 0x182bb:$a: NanoCore 0x182cd:$a: NanoCore 0x18309:$a: NanoCore 0x31296:$a: NanoCore 0x31337:$a: NanoCore 0x313a4:$a: NanoCore 0x31465:$a: NanoCore 0x32336:$a: NanoCore 0x32389:$a: NanoCore 0x323c2:$a: NanoCore 0x32435:$a: NanoCore 0x36edd:$a: NanoCore 0x36f0a:$a: NanoCore
Click to see the 22 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.Items_02559-02663.pdf.exe.2df1408.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x6da5:$x1: NanoCore.ClientPluginHost 0x6dd2:$x2: IClientNetworkHost
4.2.Items_02559-02663.pdf.exe.2df1408.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x6da5:$x2: NanoCore.ClientPluginHost 0x7d74:$s2: FileCommand 0xc776:$s4: PipeCreated 0x6dbf:$s5: IClientLoggingHost
7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.Items_02559-02663.pdf.exe.2de3130.4.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2dbb:$x1: NanoCore.ClientPluginHost 0x2de5:$x2: IClientNetworkHost
4.2.Items_02559-02663.pdf.exe.2de3130.4.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2dbb:$x2: NanoCore.ClientPluginHost 0x4c6b:$s4: PipeCreated
0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0xfebcd:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0xfec0a:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x10273d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xfe935:$a: NanoCore 0xfe945:$a: NanoCore 0xfeb79:$a: NanoCore 0xfeb8d:$a: NanoCore 0xfebcd:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0xfe994:$b: ClientPlugin 0xfeb96:$b: ClientPlugin 0xfebd6:$b: ClientPlugin 0x1007b:$c: ProjectData 0xfeabb:$c: ProjectData 0x10a82:$d: DESCrypto 0xff4c2:$d: DESCrypto 0x1844e:$e: KeepAlive
10.2.Items_02559-02663.pdf.exe.3249628.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
10.2.Items_02559-02663.pdf.exe.3249628.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x24178:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x241a5:$x2: IClientNetworkHost
10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x24178:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x25253:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x24192:$s5: IClientLoggingHost
10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.Items_02559-02663.pdf.exe.423062c.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
10.2.Items_02559-02663.pdf.exe.423062c.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
10.2.Items_02559-02663.pdf.exe.423062c.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x42bad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x42bea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4671d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x42925:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x42bad:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x441e6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x441da:$s2: FileCommand 0x1266b:$s3: PipeExists 0x4508b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x4ae42:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost 0x42bd7:$s5: IClientLoggingHost
7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42915:$a: NanoCore 0x42925:$a: NanoCore 0x42b59:$a: NanoCore 0x42b6d:$a: NanoCore 0x42bad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42974:$b: ClientPlugin 0x42b76:$b: ClientPlugin 0x42bb6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x42a9b:$c: ProjectData 0x10a82:$d: DESCrypto 0x434a2:$d: DESCrypto 0x1844e:$e: KeepAlive
10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d5d7:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d604:$x2: IClientNetworkHost
10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d5d7:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e6b2:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d5f1:$s5: IClientLoggingHost
10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d58d:$a: NanoCore 0x2d5a2:$a: NanoCore 0x2d5d7:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2d349:$b: ClientPlugin 0x2d364:$b: ClientPlugin
4.2.Items_02559-02663.pdf.exe.2de3130.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x16e7d:$x1: NanoCore.ClientPluginHost 0x23ff7:$x1: NanoCore.ClientPluginHost 0x2de57:$x1: NanoCore.ClientPluginHost 0x34f34:$x1: NanoCore.ClientPluginHost 0x3b1cd:$x1: NanoCore.ClientPluginHost 0x457eb:$x1: NanoCore.ClientPluginHost 0x4fc27:$x1: NanoCore.ClientPluginHost 0x5ac19:$x1: NanoCore.ClientPluginHost 0x669cf:$x1: NanoCore.ClientPluginHost 0x72726:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost 0x16eaa:$x2: IClientNetworkHost 0x24030:$x2: IClientNetworkHost 0x2de90:$x2: IClientNetworkHost 0x3b206:$x2: IClientNetworkHost 0x45948:$x2: IClientNetworkHost 0x4fc60:$x2: IClientNetworkHost 0x5ac33:$x2: IClientNetworkHost 0x669e9:$x2: IClientNetworkHost 0x72763:$x2: IClientNetworkHost
4.2.Items_02559-02663.pdf.exe.2de3130.4.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x4b96:$a: NanoCore 0x4bbb:$a: NanoCore 0x4c14:$a: NanoCore 0x16e57:$a: NanoCore 0x16e7d:$a: NanoCore 0x16ed9:$a: NanoCore 0x23d3f:$a: NanoCore 0x23d98:$a: NanoCore 0x23dcb:$a: NanoCore 0x23ff7:$a: NanoCore 0x24073:$a: NanoCore 0x2468c:$a: NanoCore 0x247d5:$a: NanoCore 0x24ca9:$a: NanoCore 0x24f90:$a: NanoCore 0x24fa7:$a: NanoCore 0x2de57:$a: NanoCore 0x2ded3:$a: NanoCore 0x307b6:$a: NanoCore 0x34f34:$a: NanoCore 0x34f7e:$a: NanoCore
10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x287a1:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x287ce:$x2: IClientNetworkHost
10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x287a1:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x2987c:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x287bb:$s5: IClientLoggingHost
10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.Items_02559-02663.pdf.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
10.2.Items_02559-02663.pdf.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
10.2.Items_02559-02663.pdf.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
10.2.Items_02559-02663.pdf.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xcbfad:$x1: NanoCore.ClientPluginHost 0xcbfea:$x2: IClientNetworkHost 0xcfb1d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xcbd15:$a: NanoCore 0xcbd25:$a: NanoCore 0xcbf59:$a: NanoCore 0xcbf6d:$a: NanoCore 0xcbfad:$a: NanoCore 0xcbd74:$b: ClientPlugin 0xcbf76:$b: ClientPlugin 0xcbfb6:$b: ClientPlugin 0xcbe9b:$c: ProjectData 0xcc8a2:$d: DESCrypto 0xd426e:$e: KeepAlive 0xd225c:$g: LogClientMessage 0xce457:$i: get_Connected 0xccbd8:$j: #=q 0xccc08:$j: #=q 0xccc24:$j: #=q 0xccc54:$j: #=q 0xccc70:$j: #=q 0xccc8c:$j: #=q 0xcccbc:$j: #=q 0xcccd8:$j: #=q
4.2.Items_02559-02663.pdf.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.Items_02559-02663.pdf.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.Items_02559-02663.pdf.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.Items_02559-02663.pdf.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.Items_02559-02663.pdf.exe.2df1408.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x8ba5:$x1: NanoCore.ClientPluginHost 0x15d1f:$x1: NanoCore.ClientPluginHost 0x1fb7f:$x1: NanoCore.ClientPluginHost 0x26c5c:$x1: NanoCore.ClientPluginHost 0x2cef5:$x1: NanoCore.ClientPluginHost 0x37513:$x1: NanoCore.ClientPluginHost 0x4194f:$x1: NanoCore.ClientPluginHost 0x4c941:$x1: NanoCore.ClientPluginHost 0x586f7:$x1: NanoCore.ClientPluginHost 0x6444e:$x1: NanoCore.ClientPluginHost 0x8bd2:$x2: IClientNetworkHost 0x15d58:$x2: IClientNetworkHost 0x1fbb8:$x2: IClientNetworkHost 0x2cf2e:$x2: IClientNetworkHost 0x37670:$x2: IClientNetworkHost 0x41988:$x2: IClientNetworkHost 0x4c95b:$x2: IClientNetworkHost 0x58711:$x2: IClientNetworkHost 0x6448b:$x2: IClientNetworkHost
4.2.Items_02559-02663.pdf.exe.2df1408.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x8ba5:$x2: NanoCore.ClientPluginHost 0x15d1f:$x2: NanoCore.ClientPluginHost 0x1fb7f:$x2: NanoCore.ClientPluginHost 0x26c5c:$x2: NanoCore.ClientPluginHost 0x2cef5:$x2: NanoCore.ClientPluginHost 0x37513:$x2: NanoCore.ClientPluginHost 0x4194f:$x2: NanoCore.ClientPluginHost 0x4c941:$x2: NanoCore.ClientPluginHost 0x586f7:$x2: NanoCore.ClientPluginHost 0x6444e:$x2: NanoCore.ClientPluginHost 0x9b74:$s2: FileCommand 0x38469:$s3: PipeExists 0xe576:$s4: PipeCreated 0x15e3c:$s4: PipeCreated 0x1fc83:$s4: PipeCreated 0x26d3a:$s4: PipeCreated 0x2d010:$s4: PipeCreated 0x37709:$s4: PipeCreated 0x41a9a:$s4: PipeCreated 0x4d976:$s4: PipeCreated 0x5a4a2:$s4: PipeCreated
4.2.Items_02559-02663.pdf.exe.2df1408.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x8b7f:$a: NanoCore 0x8ba5:$a: NanoCore 0x8c01:$a: NanoCore 0x15a67:$a: NanoCore 0x15ac0:$a: NanoCore 0x15af3:$a: NanoCore 0x15d1f:$a: NanoCore 0x15d9b:$a: NanoCore 0x163b4:$a: NanoCore 0x164fd:$a: NanoCore 0x169d1:$a: NanoCore 0x16cb8:$a: NanoCore 0x16ccf:$a: NanoCore 0x1fb7f:$a: NanoCore 0x1fbfb:$a: NanoCore 0x224de:$a: NanoCore 0x26c5c:$a: NanoCore 0x26ca6:$a: NanoCore 0x27900:$a: NanoCore 0x2cef5:$a: NanoCore 0x2cf6f:$a: NanoCore
4.2.Items_02559-02663.pdf.exe.2dbe8d4.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x29417:$x1: NanoCore.ClientPluginHost 0x3b6d9:$x1: NanoCore.ClientPluginHost 0x48853:$x1: NanoCore.ClientPluginHost 0x526b3:$x1: NanoCore.ClientPluginHost 0x59790:$x1: NanoCore.ClientPluginHost 0x5fa29:$x1: NanoCore.ClientPluginHost 0x6a047:$x1: NanoCore.ClientPluginHost 0x74483:$x1: NanoCore.ClientPluginHost 0x7f475:$x1: NanoCore.ClientPluginHost 0x8b22b:$x1: NanoCore.ClientPluginHost 0x96f82:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x29441:$x2: IClientNetworkHost 0x3b706:$x2: IClientNetworkHost 0x4888c:$x2: IClientNetworkHost 0x526ec:$x2: IClientNetworkHost 0x5fa62:$x2: IClientNetworkHost 0x6a1a4:$x2: IClientNetworkHost 0x744bc:$x2: IClientNetworkHost 0x7f48f:$x2: IClientNetworkHost
4.2.Items_02559-02663.pdf.exe.2dbe8d4.3.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x293f2:$a: NanoCore 0x29417:$a: NanoCore 0x29470:$a: NanoCore 0x3b6b3:$a: NanoCore 0x3b6d9:$a: NanoCore 0x3b735:$a: NanoCore 0x4859b:$a: NanoCore 0x485f4:$a: NanoCore 0x48627:$a: NanoCore 0x48853:$a: NanoCore 0x488cf:$a: NanoCore 0x48ee8:$a: NanoCore 0x49031:$a: NanoCore 0x49505:$a: NanoCore 0x497ec:$a: NanoCore 0x49803:$a: NanoCore 0x526b3:$a: NanoCore
0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
Click to see the 47 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\Items_02559-02663.pdf.exe, ProcessId: 1440, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\Items_02559-02663.pdf.exe' , ParentImage: C:\Users\user\Desktop\Items_02559-02663.pdf.exe, ParentProcessId: 1680, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp', ProcessId: 1900

Sigma detected: Suspicious Double Extension

Show sources

Source: Process started

Author: Florian Roth (rule), @blu3_team (idea): Data: Command: {path}, CommandLine: {path}, CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\Items_02559-02663.pdf.exe, NewProcessName: C:\Users\user\Desktop\Items_02559-02663.pdf.exe, OriginalFileName: C:\Users\user\Desktop\Items_02559-02663.pdf.exe, ParentCommandLine: 'C:\Users\user\Desktop\Items_02559-02663.pdf.exe' , ParentImage: C:\Users\user\Desktop\Items_02559-02663.pdf.exe, ParentProcessId: 1680, ProcessCommandLine: {path}, ProcessId: 2920

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "063b6e17-4321-4269-bf57-df94b570da06", "Group": "GIFT", "Domain1": "wilsonzz.webredirect.org", "Domain2": "thanks001.ddns.net", "Port": 9036, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Enable", "ClearZoneIdentifier": "Enable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Enable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4", "BypassUserAccountControlData": "<?xml version=\"1.0\" encoding=\"UTF-16\"?>\r\n<Task version=\"1.2\" xmlns=\"http://schemas.microsoft.com/windows/2004/02/mit/task\">\r\n <RegistrationInfo />\r\n <Triggers />\r\n <Principals>\r\n <Principal id=\"Author\">\r\n <LogonType>InteractiveToken</LogonType>\r\n <RunLevel>HighestAvailable</RunLevel>\r\n </Principal>\r\n </Principals>\r\n <Settings>\r\n <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>\r\n <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>\r\n <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>\r\n <AllowHardTerminate>true</AllowHardTerminate>\r\n <StartWhenAvailable>false</StartWhenAvailable>\r\n <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>\r\n <IdleSettings>\r\n <StopOnIdleEnd>false</StopOnIdleEnd>\r\n <RestartOnIdle>false</RestartOnIdle>\r\n </IdleSettings>\r\n <AllowStartOnDemand>true</AllowStartOnDemand>\r\n <Enabled>true</Enabled>\r\n <Hidden>false</Hidden>\r\n <RunOnlyIfIdle>false</RunOnlyIfIdle>\r\n <WakeToRun>false</WakeToRun>\r\n <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>\r\n <Priority>4</Priority>\r\n </Settings>\r\n <Actions Context=\"Author\">\r\n <Exec>\r\n <Command>\"#EXECUTABLEPATH\"</Command>\r\n <Arguments>$(Arg0)</Arguments>\r\n </Exec>\r\n </Actions>\r\n</Task"}

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\jZWRPYaLXncddo.exe

ReversingLabs: Detection: 23%

Multi AV Scanner detection for submitted file

Show sources

Source: Items_02559-02663.pdf.exe

ReversingLabs: Detection: 23%

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORY
Source: Yara match	File source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORY
Source: Yara match	File source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORY
Source: Yara match	File source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.423062c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPE

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Roaming\jZWRPYaLXncddo.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Show sources

Source: Items_02559-02663.pdf.exe

Joe Sandbox ML: detected

Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7

Compliance:

Uses 32bit PE files

Show sources

Source: Items_02559-02663.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Contains modern PE file flags such as dynamic base (ASLR) or NX

Show sources

Source: Items_02559-02663.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Binary contains paths to debug symbols

Show sources

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49709 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49710 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49711 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49712 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49714 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49715 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49716 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49717 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49718 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49719 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49720 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49721 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49722 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49723 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49724 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49725 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49726 -> 89.163.237.88:9036
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.4:49727 -> 89.163.237.88:9036

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: thanks001.ddns.net
Source: Malware configuration extractor	URLs: wilsonzz.webredirect.org

Source: global traffic

TCP traffic: 192.168.2.4:49709 -> 89.163.237.88:9036

Source: Joe Sandbox View

ASN Name: MYLOC-ASIPBackboneofmyLocmanagedITAGDE MYLOC-ASIPBackboneofmyLocmanagedITAGDE

Source: unknown

DNS traffic detected: queries for: wilsonzz.webredirect.org

Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: http://google.com
Source: Items_02559-02663.pdf.exe, 00000000.00000002.684003114.0000000002C1F000.00000004.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.720737165.0000000003361000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: Items_02559-02663.pdf.exe, 00000000.00000003.650108891.0000000000C7B000.00000004.00000001.sdmp	String found in binary or memory: http://www.monotype.
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Source: Items_02559-02663.pdf.exe, 00000000.00000002.681552710.00000000009A8000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: Items_02559-02663.pdf.exe, 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORY
Source: Yara match	File source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORY
Source: Yara match	File source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORY
Source: Yara match	File source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.423062c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Items_02559-02663.pdf.exe.2de3130.4.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Items_02559-02663.pdf.exe.3249628.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Items_02559-02663.pdf.exe.423062c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Items_02559-02663.pdf.exe.2de3130.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.Items_02559-02663.pdf.exe.2de3130.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.Items_02559-02663.pdf.exe.2dbe8d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.Items_02559-02663.pdf.exe.2dbe8d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample

Static PE information: Filename: Items_02559-02663.pdf.exe

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 0_2_00C4C134
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 0_2_00C4E56A
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 0_2_00C4E578
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 0_2_071A6010
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 0_2_071A1D7D
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 0_2_071A7A30
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 0_2_071A7A40
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 0_2_071A0006
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 0_2_071A0040
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 0_2_07A1070A
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 4_2_0149E471
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 4_2_0149E480
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 4_2_0149BBD4
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 7_2_0173C134
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 7_2_0173E578
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 7_2_0173E56A
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 7_2_07896010
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 7_2_07891D7D
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 7_2_07897A30
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 7_2_07897A40
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 7_2_07890007
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 7_2_07890040
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 7_2_082B070A
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 10_2_017DE471
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 10_2_017DE480
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 10_2_017DBBD4
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 10_2_031C9788
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 10_2_031CF5F8
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 10_2_031CA610

Source: Items_02559-02663.pdf.exe	Binary or memory string: OriginalFilename vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000000.00000002.695012477.0000000007820000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000000.00000002.695012477.0000000007820000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000000.00000002.681552710.00000000009A8000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000000.00000002.694626547.0000000007730000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe	Binary or memory string: OriginalFilename vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe	Binary or memory string: OriginalFilename vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameCoreClientPlugin.dll8 vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameManagementClientPlugin.dll4 vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreBase.dll< vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPluginNew.dll4 vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll4 vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameFileBrowserClient.dllT vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameMyClientPlugin.dll@ vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNanoCoreStressTester.dll< vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameNetworkClientPlugin.dll4 vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSecurityClientPlugin.dll4 vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameToolsClientPlugin.dll4 vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe	Binary or memory string: OriginalFilename vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000007.00000002.729365815.0000000008020000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000007.00000002.728684858.00000000078A0000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000007.00000002.728684858.00000000078A0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 00000007.00000002.728760284.00000000078D0000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe	Binary or memory string: OriginalFilename vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameClientPlugin.dll4 vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameLzma#.dll4 vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSurveillanceExClientPlugin.dll4 vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe, 0000000A.00000002.736160010.000000000142A000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs Items_02559-02663.pdf.exe
Source: Items_02559-02663.pdf.exe	Binary or memory string: OriginalFilename~ vs Items_02559-02663.pdf.exe

Source: Items_02559-02663.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.Items_02559-02663.pdf.exe.2de3130.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.Items_02559-02663.pdf.exe.2de3130.4.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Items_02559-02663.pdf.exe.3249628.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Items_02559-02663.pdf.exe.3249628.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Items_02559-02663.pdf.exe.423062c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Items_02559-02663.pdf.exe.423062c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.Items_02559-02663.pdf.exe.2de3130.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.Items_02559-02663.pdf.exe.2de3130.4.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.Items_02559-02663.pdf.exe.2df1408.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.Items_02559-02663.pdf.exe.2dbe8d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.Items_02559-02663.pdf.exe.2dbe8d4.3.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: Items_02559-02663.pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: jZWRPYaLXncddo.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Security.Principal.WindowsIdentity System.Security.Principal.WindowsIdentity::GetCurrent()
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Security API names: System.Boolean System.Security.Principal.WindowsPrincipal::IsInRole(System.Security.Principal.WindowsBuiltInRole)

Source: classification engine

Classification label: mal100.troj.evad.winEXE@17/10@18/2

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe

File created: C:\Users\user\AppData\Roaming\jZWRPYaLXncddo.exe

Jump to behavior

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\PabRJVaJStCOUonYQzbLCywb
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2860:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3220:120:WilError_01
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{063b6e17-4321-4269-bf57-df94b570da06}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5912:120:WilError_01

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmp71AB.tmp

Jump to behavior

Source: Items_02559-02663.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: Items_02559-02663.pdf.exe

ReversingLabs: Detection: 23%

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe

File read: C:\Users\user\Desktop\Items_02559-02663.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe 'C:\Users\user\Desktop\Items_02559-02663.pdf.exe'
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}
Source: unknown	Process created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe C:\Users\user\Desktop\Items_02559-02663.pdf.exe 0
Source: unknown	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA1E.tmp'
Source: unknown	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp'
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp'
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA1E.tmp'
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Source: Items_02559-02663.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: Items_02559-02663.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\MyNanoCore RemoteScripting\MyClientPlugin\obj\Debug\MyClientPluginNew.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Downloads\NanoCoreSwiss\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Liam\Documents\Visual Studio 2013\Projects\NanoCoreStressTester\NanoCoreStressTester\obj\Debug\NanoCoreStressTester.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
Source:	Binary string: G:\Users\Andy\Documents\Visual Studio 2013\Projects\NanocoreBasicPlugin\NanoCoreBase\obj\Debug\NanoCoreBase.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
Source:	Binary string: P:\Visual Studio Projects\Projects 15\NanoNana\MyClientPlugin\obj\Debug\MyClientPlugin.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp
Source:	Binary string: C:\Users\Cole\Documents\Visual Studio 2013\Projects\FileBrowserPlugin\FileBrowserClient\obj\Debug\FileBrowserClient.pdb source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: Items_02559-02663.pdf.exe, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: jZWRPYaLXncddo.exe.0.dr, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.2.Items_02559-02663.pdf.exe.1e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 0.0.Items_02559-02663.pdf.exe.1e0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.2.Items_02559-02663.pdf.exe.3a0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 3.0.Items_02559-02663.pdf.exe.3a0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Items_02559-02663.pdf.exe.990000.1.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.0.Items_02559-02663.pdf.exe.990000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.2.Items_02559-02663.pdf.exe.f60000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 7.0.Items_02559-02663.pdf.exe.f60000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.0.Items_02559-02663.pdf.exe.cf0000.0.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Items_02559-02663.pdf.exe.cf0000.1.unpack, Login.cs	.Net Code: set_Name System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 0_2_071A54C0 push eax; ret
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 0_2_07A1573D push FFFFFF8Bh; iretd
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 7_2_07895F18 pushfd ; ret
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 7_2_078954C0 push eax; ret
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 7_2_082B573D push FFFFFF8Bh; iretd
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 10_2_031CB5E0 push eax; retf
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 10_2_031C69F8 pushad ; retf
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Code function: 10_2_031C69FA push esp; retf

Source: initial sample	Static PE information: section name: .text entropy: 7.94731147015
Source: initial sample	Static PE information: section name: .text entropy: 7.94731147015

Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Persistence and Installation Behavior:

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe

File created: C:\Users\user\AppData\Roaming\jZWRPYaLXncddo.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: unknown

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp'

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe

File opened: C:\Users\user\Desktop\Items_02559-02663.pdf.exe:Zone.Identifier read attributes | delete

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: Items_02559-02663.pdf.exe

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Window / User API: threadDelayed 4080
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Window / User API: threadDelayed 4749
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Window / User API: foregroundWindowGot 645
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Window / User API: foregroundWindowGot 759

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe TID: 1836	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe TID: 1368	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe TID: 816	Thread sleep time: -11990383647911201s >= -30000s
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe TID: 660	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe TID: 5980	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe TID: 2224	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: Items_02559-02663.pdf.exe, 00000004.00000002.909276624.0000000000F30000.00000004.00000020.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllox

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe

Process information queried: ProcessInformation

Anti Debugging:

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process token adjusted: Debug
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process token adjusted: Debug

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Memory written: C:\Users\user\Desktop\Items_02559-02663.pdf.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Memory written: C:\Users\user\Desktop\Items_02559-02663.pdf.exe base: 400000 value starts with: 4D5A

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp'
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp'
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA1E.tmp'
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Process created: C:\Users\user\Desktop\Items_02559-02663.pdf.exe {path}

Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910132928.0000000001850000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910132928.0000000001850000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910548747.0000000002F37000.00000004.00000001.sdmp	Binary or memory string: Program Managerp
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910132928.0000000001850000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	Binary or memory string: Program Managert

Language, Device and Operating System Detection:

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Users\user\Desktop\Items_02559-02663.pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Users\user\Desktop\Items_02559-02663.pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Users\user\Desktop\Items_02559-02663.pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Users\user\Desktop\Items_02559-02663.pdf.exe VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiVirusProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM AntiSpywareProduct
Source: C:\Users\user\Desktop\Items_02559-02663.pdf.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT DisplayName FROM FirewallProduct

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORY
Source: Yara match	File source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORY
Source: Yara match	File source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORY
Source: Yara match	File source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.423062c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: Items_02559-02663.pdf.exe, 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreBase.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreBaseClientPluginCommandHandlerResourcesNanoCoreBase.My.ResourcesMySettingsMySettingsPropertyCommandsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketHandleCommandHandleCommandOpenWebsiteHandleCommandMessageBoxSwapMouseButtonfSwapuser32.dllHandleCommandMouseSwapHandleCommandMouseUnswapmciSendStringlpszCommandlpszReturnStringcchReturnLengthhwndCallbackwinmm.dllmciSendStringAHandleCommandCDTrayHandleCommandCDTrayCloseSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__OpenWebsiteMessageBoxCDTrayCDTrayCloseMouseSwapMouseUnswapSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeSendToServerParamArrayAttributeStringProcessStartSystem.Windows.FormsDialogResultShowConversionsReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedNanoCoreBase.Resources.resourcesDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeNanoCoreBase.dll+set CDAudio door open/set CDAudio door closed-NanoCoreBase.Resources3
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationMyClientPlugin.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainMyClientPluginClientPluginMiscCommandHandlerCommandTypeMiscCommandMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleMiscCommandHandleMiscCommandMessageInterpretRecievedcommandtodoloopkeysEnumvalue__MessageStringExceptionMicrosoft.VisualBasic.CompilerServicesOperatorsCompareStringServerComputerMicrosoft.VisualBasic.MyServicesRegistryProxyget_RegistryMicrosoft.Win32RegistryKeyget_LocalMachineConcatInt32SetValueProjectDataSetProjectErrorClearProjectErrorget_LengthStandardModuleAttributeSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeDebuggableAttributeDebuggingModesCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeMyClientPlugin.dll'DisableWebcamLights
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationFileBrowserClient.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainFileBrowserClientClientPluginCommandHandlersResourcesFileBrowserClient.My.ResourcesMySettingsMySettingsPropertyFunctionsCommandTypesMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostCurrentDirectoryInitializePluginNanoCore.ClientPluginIClientNetwork_loggingHost_networkHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketparamsHandleCreateDirectoryremoteDirHandleDeleteFileremoteFileisDirectoryHandleOpenFileHandleReceiveFilelocalFileHandleRenameFilenewFileNameHandleSetCurrentDirectorypathHandleDeleteHandleDownloadHandleDrivesHandleFilesHandleGetCurrentDirectoryHandleMachineNameHandleOpenHandleSetCurrentDirectoryPacketHandleUploadHandleRenameHandleCreateSendCurrentDirectorySendDrivesSendFileSendFilesSendMachineNameSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CulturevalueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsSystem.Collections.GenericList`1RemoteFilesRemoteFoldersRemoteDrivesEnumerateRemoteFilesEnumerateRemoteDrivesLogMessagemessageEnumvalue__MachineNameDrivesFilesGetCurrentDirectorySetCurrentDirectoryDownloadUploadOpenDeleteCreateDirectoryRenameSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeEnvironmentSpecialFolderGetFolderPathStringFormatSystem.IODirectoryDirectoryInfoProjectDataExceptionSetProjectErrorClearProjectErrorFileLogClientExceptionProcessStartConvertFromBase64StringWriteAllBytesMoveSendToServerConversionsToBooleanInt32NewLateBindingLateIndexGetEnumeratorEmptyGetEnumeratorget_CurrentTrimConcatMoveNextIDisposableDisposeReadAllBytesToBase64StringIsNullOrEmptyget_MachineNameToUpperget_UserNameReferenceEqualsSystem.ReflectionAssemblyget_AssemblyCompilerGeneratedAttributeSettingsBaseSynchronizedFileInfoFileSystemInfoget_FullNameContainsGetDirectoriesget_NameAddGetF
Source: Items_02559-02663.pdf.exe, 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCoreStressTester.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1ClientMainNanoCoreStressTesterClientPluginHTTPFloodSlowLorisSYNFloodTCPNanoCoreStressTester.FloodUDPSendSynCommandHandlerResourcesNanoCoreStressTester.My.ResourcesMySettingsMySettingsPropertyCommandsMethodsMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceNanoCore.ClientPluginHostIClientLoggingHostLoggingHostIClientNetworkHostNetworkHostIClientDataHostDataHostClientGUIDSendCommandparamsInitializePluginNanoCore.ClientPluginIClientNetwork_networkhost_loggingHost_DataHostBuildingHostCacheConnectionFailedhostportConnectionStateChangedconnectedPipeClosedpipeNamePipeCreatedReadPacketStartHostToAttackArrayUploadDataSiteUserAgentRefererValuesGeneratecodelengthSystem.ThreadingThreadThreadsPortToAttackTimeToAttackThreadstoUseThreadsEndedattacksAttackRunningFloodnewHostnewPortnewTimenewThreadslolStopSlowlorisStressThreadStart_floodingJob_floodingThreadSystem.NetIPEndPoint_ipEo_synClassHostIsEnabledPortSuperSynSocketsStartSuperSynStopSuperSynSystem.Net.SocketsSocketClientIPPacketsPacketSizeMaxPacketsStopFloodmPacketspSize_sockipEosuperSynSockets__1IAsyncResultOnConnectarSendFloodingstopHTTPBytesSentSYNConnectionsHTTPDataSentMethodTargetAddressTargetStatusupdateBytesnewSYNFloodHandleDDOSCommandHandleStopCommandSystem.TimersElapsedEventArgsbytesTimerElapsedsourceeHandleHTTPCommandHandleSlowlorisCommandHandleTCPCommandHandleUDPCommandHandleSYNCommandSystem.ResourcesResourceManagerresourceManSystem.GlobalizationCultureInforesourceCultureget_ResourceManagerget_Cultureset_CultureValueCultureSystem.ConfigurationApplicationSettingsBasedefaultInstanceget_DefaultDefaultget_SettingsSettingsEnumvalue__sendStressCommandupdateStatusColumnstopStressCommandHTTPSlowlorisSYNSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerNonUserCodeAttributeDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeExceptionSendToServerProjectDataSetProjectErrorClearProjectErrorTimerNanoCoreIClientNameObjectCollectionget_VariablesGetValueset_Intervalset_EnabledElapsedEventHandleradd_ElapsedParamArrayAttributeRandomGuidStringIsNullOrEmptyArgumentNullExceptionArgumentOutOfRangeExce
Source: Items_02559-02663.pdf.exe, 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Items_02559-02663.pdf.exe, 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: Items_02559-02663.pdf.exe, 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Items_02559-02663.pdf.exe PID: 1440, type: MEMORY
Source: Yara match	File source: Process Memory Space: Items_02559-02663.pdf.exe PID: 472, type: MEMORY
Source: Yara match	File source: Process Memory Space: Items_02559-02663.pdf.exe PID: 5880, type: MEMORY
Source: Yara match	File source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.4234c55.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.423062c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.Items_02559-02663.pdf.exe.48396d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.422b7f6.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.423062c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Items_02559-02663.pdf.exe.3bbc2f0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.Items_02559-02663.pdf.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.Items_02559-02663.pdf.exe.3b896d0.3.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Windows Management Instrumentation1	Scheduled Task/Job1	Process Injection112	Masquerading11	Input Capture21	Security Software Discovery121	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job1	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Virtualization/Sandbox Evasion3	LSASS Memory	Virtualization/Sandbox Evasion3	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Disable or Modify Tools1	Security Account Manager	Process Discovery2	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection112	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol11	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Hidden Files and Directories1	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Obfuscated Files or Information12	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Software Packing13	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Items_02559-02663.pdf.exe	23%	ReversingLabs	Win32.Trojan.AgentTesla
Items_02559-02663.pdf.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\jZWRPYaLXncddo.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\jZWRPYaLXncddo.exe	23%	ReversingLabs	Win32.Trojan.AgentTesla

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.Items_02559-02663.pdf.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
10.2.Items_02559-02663.pdf.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
thanks001.ddns.net	0%	Avira URL Cloud	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.monotype.	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
wilsonzz.webredirect.org	0%	Avira URL Cloud	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wilsonzz.webredirect.org	89.163.237.88	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
thanks001.ddns.net	true	Avira URL Cloud: safe	unknown
wilsonzz.webredirect.org	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/bThe	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers?	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false		high
http://www.tiro.com	Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false		high
http://www.goodfont.co.kr	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.carterandcone.coml	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-user.html	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false		high
http://www.monotype.	Items_02559-02663.pdf.exe, 00000000.00000003.650108891.0000000000C7B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.jiyu-kobo.co.jp/	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false		high
http://www.fonts.com	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false		high
http://www.sandoll.co.kr	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	Items_02559-02663.pdf.exe, 00000000.00000002.684003114.0000000002C1F000.00000004.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.720737165.0000000003361000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	Items_02559-02663.pdf.exe, 00000000.00000002.690720943.00000000055F0000.00000002.00000001.sdmp, Items_02559-02663.pdf.exe, 00000007.00000002.726617404.00000000062D0000.00000002.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
89.163.237.88	unknown	Germany		24961	MYLOC-ASIPBackboneofmyLocmanagedITAGDE	true

Private

IP
192.168.2.1

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	357332
Start date:	24.02.2021
Start time:	13:12:27
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 10m 8s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	Items_02559-02663.pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	11
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@17/10@18/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 0.1% (good quality ratio 0.1%) Quality average: 53.1% Quality standard deviation: 27.7%
HCA Information:	Successful, ratio: 95% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. TCP Packets have been reduced to 100 Excluded IPs from analysis (whitelisted): 52.255.188.83, 104.43.193.48, 104.43.139.144, 13.64.90.137, 8.253.207.120, 67.26.17.254, 8.250.151.254, 8.248.121.254, 8.248.125.254 Excluded domains from analysis (whitelisted): skypedataprdcoleus17.cloudapp.net, skypedataprdcolwus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, audownload.windowsupdate.nsatc.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, watson.telemetry.microsoft.com, auto.au.download.windowsupdate.com.c.footprint.net, au-bg-shim.trafficmanager.net, skypedataprdcolcus15.cloudapp.net Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:13:17	API Interceptor	922x Sleep call for process: Items_02559-02663.pdf.exe modified
13:13:33	Task Scheduler	Run new task: DHCP Monitor path: "C:\Users\user\Desktop\Items_02559-02663.pdf.exe" s>$(Arg0)

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
MYLOC-ASIPBackboneofmyLocmanagedITAGDE	Bank Transfer Slip.exe	Get hash	malicious	Browse	91.212.153.84
	BILLING INVOICE.pdf.exe	Get hash	malicious	Browse	91.212.153.84
	JMG Memo-Circular No 018-21.PDF.exe	Get hash	malicious	Browse	91.212.153.84
	LIST OF DELISTED AGENCIES 22ND FEB 2021.PDF.exe	Get hash	malicious	Browse	91.212.153.84
	POEA ADVISORY ON DELISTED AGENCIES.PDF.exe	Get hash	malicious	Browse	91.212.153.84
	Swift copy_BILLING INVOICE.pdf.exe	Get hash	malicious	Browse	91.212.153.84
	POEA ADVISORY ON DELISTED AGENCIES.pdf.exe	Get hash	malicious	Browse	91.212.153.84
	POEA ADVISORY NO 450 2021.pdf.exe	Get hash	malicious	Browse	91.212.153.84
	POEA DELISTED AGENCIES (BATCH A).PDF.exe	Get hash	malicious	Browse	91.212.153.84
	POEA MEMORANDUM N0 056.exe	Get hash	malicious	Browse	91.212.153.84
	Swift_Payment_jpeg.exe	Get hash	malicious	Browse	62.141.37.17
	Protected.exe	Get hash	malicious	Browse	91.212.153.84
	Protected.2.exe	Get hash	malicious	Browse	91.212.153.84
	FickerStealer.exe	Get hash	malicious	Browse	89.163.225.172
	Documentaci#U00f3n.doc	Get hash	malicious	Browse	89.163.210.141
	SecuriteInfo.com.Trojan.DownLoader36.34557.26355.exe	Get hash	malicious	Browse	89.163.140.102
	TaskAudio Driver.exe	Get hash	malicious	Browse	193.111.198.220
	Z8363664.doc	Get hash	malicious	Browse	89.163.210.141
	OhGodAnETHlargementPill2.exe	Get hash	malicious	Browse	193.111.198.220
	godflex-r2.exe	Get hash	malicious	Browse	193.111.198.220

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Items_02559-02663.pdf.exe.log Download File
Process:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1216
Entropy (8bit):	5.355304211458859
Encrypted:	false
SSDEEP:	24:MLUE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4x84j:MIHK5HKXE1qHiYHKhQnoPtHoxHhAHKzr
MD5:	FED34146BF2F2FA59DCF8702FCC8232E
SHA1:	B03BFEA175989D989850CF06FE5E7BBF56EAA00A
SHA-256:	123BE4E3590609A008E85501243AF5BC53FA0C26C82A92881B8879524F8C0D5C
SHA-512:	1CC89F2ED1DBD70628FA1DC41A32BA0BFA3E81EAE1A1CF3C5F6A48F2DA0BF1F21A5001B8A18B04043C5B8FE4FBE663068D86AA8C4BD8E17933F75687C3178FF6
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\b219d4630d26b88041b59c21

C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp Download File
Process:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1311
Entropy (8bit):	5.137743702844662
Encrypted:	false
SSDEEP:	24:2dH4+S/4oL600QlMhEMjn5pwjVLUYODOLG9RJh7h8gK0Y0u1kaxtn:cbk4oL600QydbQxIYODOLedq3hDj
MD5:	2CB7C82A649468334E3AC9C286999C53
SHA1:	86F1D65CA2595D717E2FC67F2F064E8AF6F20F89
SHA-256:	64A1FE728F630ADEBE57FBFA6EB1DA4F9B38DDD815C9758C2DC743D19E9CBC3E
SHA-512:	B2E5E5B6CE3733586ADE0C9F23318F3DE58CDA06B88CBF8073F69C0CC3B0AE9BEE2920A768906F2665CA32AAAEB35CF6E30D5CA66B1C60CDD05AA59B79377A5C
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo />.. <Triggers />.. <Principals>.. <Principal id="Author">.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>HighestAvailable</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>Parallel</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>.. <AllowHardTerminate>true</AllowHardTerminate>.. <StartWhenAvailable>false</StartWhenAvailable>.. <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>.. <IdleSettings>.. <StopOnIdleEnd>false</StopOnIdleEnd>.. <RestartOnIdle>false</RestartOnIdle>.. </IdleSettings>.. <AllowStartOnDemand>true</AllowStartOnDemand>.. <Enabled>true</Enabled>.. <Hidden>false</Hidden>.. <RunOnlyIfIdle>false</RunOnlyIfIdle>.. <Wak

C:\Users\user\AppData\Local\Temp\tmp71AB.tmp Download File
Process:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1647
Entropy (8bit):	5.188267571798794
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGdtn:cbhK79lNQR/rydbz9I3YODOLNdq34
MD5:	265EB6B9D687D7DFEA6503E02D65C940
SHA1:	A2C93785E51DB7BF98DC0469D5F5F4CCCB6E9526
SHA-256:	6FAA626806DEE34DEB3EAE73915BD8C9452F04D19F785C84C8936DD86754059C
SHA-512:	69A786F717BBC7BEDD6FA760CCE15A7CEC96F9616808D4AB462156E9B65B76AC0494546E83837A355ED6CB5A7570642697483885F8CEC12209FB2F6906A65898
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Local\Temp\tmpBA1E.tmp Download File
Process:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1647
Entropy (8bit):	5.188267571798794
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/S7hblNMFp//rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBGdtn:cbhK79lNQR/rydbz9I3YODOLNdq34
MD5:	265EB6B9D687D7DFEA6503E02D65C940
SHA1:	A2C93785E51DB7BF98DC0469D5F5F4CCCB6E9526
SHA-256:	6FAA626806DEE34DEB3EAE73915BD8C9452F04D19F785C84C8936DD86754059C
SHA-512:	69A786F717BBC7BEDD6FA760CCE15A7CEC96F9616808D4AB462156E9B65B76AC0494546E83837A355ED6CB5A7570642697483885F8CEC12209FB2F6906A65898
Malicious:	false
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\catalog.dat Download File
Process:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	1856
Entropy (8bit):	7.089541637477408
Encrypted:	false
SSDEEP:	48:IknjhUknjhUknjhUknjhUknjhUknjhUknjhUknjhL:HjhDjhDjhDjhDjhDjhDjhDjhL
MD5:	30D23CC577A89146961915B57F408623
SHA1:	9B5709D6081D8E0A570511E6E0AAE96FA041964F
SHA-256:	E2130A72E55193D402B5F43F7F3584ECF6B423F8EC4B1B1B69AD693C7E0E5A9E
SHA-512:	2D5C5747FD04F8326C2CC1FB313925070BC01D3352AFA6C36C167B72757A15F58B6263D96BD606338DA055812E69DDB628A6E18D64DD59697C2F42D1C58CC687
Malicious:	false
Reputation:	low
Preview:	Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.... S....}FF.2...h.M+....L.#.X..+..........~f.G0^..;....W2.=...K.~.L..&f...p............:7rH}..../H......L...?...A.K...J.=8x!....+.2e'..E?.G......[.&Gj.h\.3.A...5.x..&...i+..c(1.P..P.cLT...A.b........4h...t.+..Z\.. .i.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
File Type:	Non-ISO extended-ASCII text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	2.75
Encrypted:	false
SSDEEP:	3:Zot:mt
MD5:	78D87C90B6290A2B5AC730E21857A636
SHA1:	7F2397E26E56320B7D29A2EA56AF2315EBB5ECF7
SHA-256:	A8C767EFF7AC0ABBBA818D11488D4D5D8D8A72B8BEA2DE743E0CC37B9AC06398
SHA-512:	F83E4B95CDDA9DC47C9D3D9780A7CA0346CED7996BAFF6A6011E961030F830249BF3CAA5E1DB108B6B77E77C8B47A9855299C92543429A165FE3EA6423DE1E44
Malicious:	true
Reputation:	low
Preview:	.....H

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\settings.bin Download File
Process:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	40
Entropy (8bit):	5.153055907333276
Encrypted:	false
SSDEEP:	3:9bzY6oRDT6P2bfVn1:RzWDT621
MD5:	4E5E92E2369688041CC82EF9650EDED2
SHA1:	15E44F2F3194EE232B44E9684163B6F66472C862
SHA-256:	F8098A6290118F2944B9E7C842BD014377D45844379F863B00D54515A8A64B48
SHA-512:	1B368018907A3BC30421FDA2C935B39DC9073B9B1248881E70AD48EDB6CAA256070C1A90B97B0F64BBE61E316DBB8D5B2EC8DBABCD0B0B2999AB50B933671ECB
Malicious:	false
Preview:	9iH...}Z.4..f.~a........~.~.......3.U.

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\storage.dat Download File
Process:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
File Type:	data
Category:	dropped
Size (bytes):	327768
Entropy (8bit):	7.999367066417797
Encrypted:	true
SSDEEP:	6144:oX44S90aTiB66x3PlZmqze1d1wI8lkWmtjJ/3Exi:LkjbU7LjGxi
MD5:	2E52F446105FBF828E63CF808B721F9C
SHA1:	5330E54F238F46DC04C1AC62B051DB4FCD7416FB
SHA-256:	2F7479AA2661BD259747BC89106031C11B3A3F79F12190E7F19F5DF65B7C15C8
SHA-512:	C08BA0E3315E2314ECBEF38722DF834C2CB8412446A9A310F41A8F83B4AC5984FCC1B26A1D8B0D58A730FDBDD885714854BDFD04DCDF7F582FC125F552D5C3CA
Malicious:	false
Preview:	pT..!..W..G.J..a.).@.i..wpK.so@...5.=.^..Q.oy.=e@9.B...F..09u"3.. 0t..RDn_4d.....E...i......~...\|..fX_...Xf.p^......>a..$...e.6:7d.(a.A...=.).....{B.[...y%...i.Q.<..xt.X..H.. ..HF7g...I.3.{.n....L.y;i..s-....(5i...........J.5b7}..fK..HV..,...0.... ....n.w6PMl.......v."".v.......#..X.a....../...cC...i..l{>5n.._+.e.d'...}...[..../...D.t..GVp.zz......(...o......b...+`J.{....hS1G.^I..v&.jm.#u..1..Mg!.E..U.T.....6.2>...6.l.K.w"o..E..."K%{....z.7....<...,....]t.:.....[.Z.u...3X8.QI..j_.&..N..q.e.2...6.R.~..9.Bq..A.v.6.G..#y.....O....Z)G...w..E..k(....+..O..........Vg.2xC......O...jc.....z..~.P...q../.-.'.h.._.cj.=..B.x.Q9.pu.\|i4...i...;O...n.?.,. ....v?.5}.OY@.dG\|<.._[.69@.2..m..I..oP=...xrK.?............b..5....i&...l.c\b}..Q..O+.V.mJ.....pz....>F.......H...6$...d...\|m...N..1.R..B.i..........$....$........CY}..$....r.....H...8...li.....7 P......?h....R.iF..6...q(.@LI.s..+K.....?m..H....*. l..&<}....`\|.B....3.....I..o...u1..8i=.z.W..7

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\task.dat Download File
Process:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	48
Entropy (8bit):	4.5199746782469115
Encrypted:	false
SSDEEP:	3:oNt+WfWsuKfMrQC:oNwvsuuMrQC
MD5:	E180244A81F8CE52CE654E64B183D082
SHA1:	36C89CD921CB760B029DA4F6102D3588232982FC
SHA-256:	00CB24367F72D6074CB5201ADB3F208B1ED7D29E1DAC42D38023E505A4A56C09
SHA-512:	0AD3E451827BA0C41574C5937B891CE4D763492255FE003F4B855C087AE15AA7734E3090AC0B6EDF161527B9A691B2710EEC7BBA6706EF0447ED332AEA112610
Malicious:	false
Preview:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe

C:\Users\user\AppData\Roaming\jZWRPYaLXncddo.exe Download File
Process:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	770048
Entropy (8bit):	7.94192338687656
Encrypted:	false
SSDEEP:	12288:YEY3LLUEMthvqNv06tdkkQjFXZhBPEw6S4ZR6UaG+SsOEgntReIwCzWcPKlTPTGl:ALCYNJN+FXpc/H6Ud+SxDXeIwlBRG16c
MD5:	69B99B73945755DF4628529E5A1BF6F8
SHA1:	0B4A98CF7C2CF5F1FB3480736A602EBE4BBB9746
SHA-256:	0A31DDE9DD611DE5AFEF82EAC6581588C5D8B034106A1F4EAC68958B8BD526C2
SHA-512:	779A27BC5456FD9A7EF27963DAF4310C100DB04B53FFF46346C14D69B2EC7456A3DEE49505A4B23A59BD4E434E8AE845CFE2FD8D4EE9421FFB19A8D983CC3C89
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 23%
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o.5`..............0.................. ........@.. ....................... ............@.................................4...O.................................................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc..............................@..B................h.......H.......Ho..t3......4.......x2..........................................&.(.........0..9........~.........,".r...p.....(....o....s............~.....+......0...........~.....+.."........0..!........(....r!..p~....o......t.....+......0..!........(....r1..p~....o......t.....+......0...........r5..p.+....0...........rA..p.+..".(.....^..}.....(.......(%.......(.......0..;........rI..pr...p.(...........,..(......+..s......o .....(!.....*..0..I........r...pr...p.(.......

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.94192338687656
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	Items_02559-02663.pdf.exe
File size:	770048
MD5:	69b99b73945755df4628529e5a1bf6f8
SHA1:	0b4a98cf7c2cf5f1fb3480736a602ebe4bbb9746
SHA256:	0a31dde9dd611de5afef82eac6581588c5d8b034106a1f4eac68958b8bd526c2
SHA512:	779a27bc5456fd9a7ef27963daf4310c100db04b53fff46346c14d69b2ec7456a3dee49505a4b23a59bd4e434e8ae845cfe2fd8d4ee9421ffb19a8d983cc3c89
SSDEEP:	12288:YEY3LLUEMthvqNv06tdkkQjFXZhBPEw6S4ZR6UaG+SsOEgntReIwCzWcPKlTPTGl:ALCYNJN+FXpc/H6Ud+SxDXeIwlBRG16c
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...o.5`..............0.................. ........@.. ....................... ............@................................

File Icon


Icon Hash:	00828e8e8686b000

Static PE Info

General
Entrypoint:	0x4bd586
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6035AC6F [Wed Feb 24 01:31:27 2021 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xbd534	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xbe000	0x5b4	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xc0000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0xbb58c	0xbb600	False	0.933682350734	data	7.94731147015	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0xbe000	0x5b4	0x600	False	0.436197916667	data	4.24672884221	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xc0000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country
RT_VERSION	0xbe090	0x324	data
RT_MANIFEST	0xbe3c4	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2016
Assembly Version	4.0.0.0
InternalName	wA.exe
FileVersion	4.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	ITP_RMSS
ProductVersion	4.0.0.0
FileDescription	ITP_RMSS
OriginalFilename	wA.exe

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
02/24/21-13:13:35.557410	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49709	9036	192.168.2.4	89.163.237.88
02/24/21-13:13:42.456581	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49710	9036	192.168.2.4	89.163.237.88
02/24/21-13:13:48.944286	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49711	9036	192.168.2.4	89.163.237.88
02/24/21-13:13:55.417376	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49712	9036	192.168.2.4	89.163.237.88
02/24/21-13:14:02.308430	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49714	9036	192.168.2.4	89.163.237.88
02/24/21-13:14:09.115026	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49715	9036	192.168.2.4	89.163.237.88
02/24/21-13:14:15.121738	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49716	9036	192.168.2.4	89.163.237.88
02/24/21-13:14:22.468708	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49717	9036	192.168.2.4	89.163.237.88
02/24/21-13:14:28.451679	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49718	9036	192.168.2.4	89.163.237.88
02/24/21-13:14:33.473501	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49719	9036	192.168.2.4	89.163.237.88
02/24/21-13:14:39.501822	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49720	9036	192.168.2.4	89.163.237.88
02/24/21-13:14:45.520035	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49721	9036	192.168.2.4	89.163.237.88
02/24/21-13:14:50.510622	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49722	9036	192.168.2.4	89.163.237.88
02/24/21-13:14:56.537341	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49723	9036	192.168.2.4	89.163.237.88
02/24/21-13:15:02.624356	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49724	9036	192.168.2.4	89.163.237.88
02/24/21-13:15:07.507413	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49725	9036	192.168.2.4	89.163.237.88
02/24/21-13:15:13.608651	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49726	9036	192.168.2.4	89.163.237.88
02/24/21-13:15:19.571269	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49727	9036	192.168.2.4	89.163.237.88

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 13:13:35.358680010 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.380064011 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.380227089 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.557410002 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.598577023 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.625113964 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.649607897 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.690336943 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.764992952 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.765063047 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.769203901 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.769248962 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.769303083 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.769304037 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.769330978 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.769334078 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.769357920 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.769367933 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.790576935 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.790621042 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.790642977 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.790668011 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.790690899 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.790715933 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.790719986 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.790751934 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.790777922 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.790802956 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.790873051 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.812535048 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812565088 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812588930 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812612057 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812642097 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.812647104 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812668085 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.812674999 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812699080 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812726974 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.812731981 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812767029 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812777996 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.812813997 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812839031 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812865973 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812891006 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812891006 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.812912941 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812932968 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812944889 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.812956095 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.812958956 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.812999964 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.835573912 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.835643053 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.835685968 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.835726023 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.835731030 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.835751057 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.835777998 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.835789919 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.835814953 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.835838079 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.835839033 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.835876942 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.835890055 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.835913897 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.835935116 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.835968971 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.835982084 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836005926 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836030006 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836061001 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.836070061 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836093903 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836117029 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.836117983 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836141109 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.836158037 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836182117 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836205006 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836225986 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.836234093 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836266041 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.836267948 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836292982 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836317062 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836328030 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.836340904 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836365938 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836369991 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.836393118 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836417913 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836440086 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.836440086 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836464882 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836486101 CET	49709	9036	192.168.2.4	89.163.237.88
Feb 24, 2021 13:13:35.836488962 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836513042 CET	9036	49709	89.163.237.88	192.168.2.4
Feb 24, 2021 13:13:35.836541891 CET	49709	9036	192.168.2.4	89.163.237.88

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Feb 24, 2021 13:13:05.131644964 CET	59920	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:05.144365072 CET	53	59920	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:06.854136944 CET	57458	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:06.866487980 CET	53	57458	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:07.635777950 CET	50579	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:07.648597956 CET	53	50579	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:08.444322109 CET	65248	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:08.456315041 CET	53	65248	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:09.765423059 CET	53723	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:09.778301001 CET	53	53723	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:10.644164085 CET	64646	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:10.659591913 CET	53	64646	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:11.666393042 CET	65298	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:11.680917978 CET	53	65298	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:13.408221006 CET	59123	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:13.420507908 CET	53	59123	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:14.182230949 CET	54531	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:14.197181940 CET	53	54531	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:15.029716969 CET	49714	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:15.043313026 CET	53	49714	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:15.835571051 CET	58028	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:15.848443031 CET	53	58028	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:16.646267891 CET	53097	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:16.658747911 CET	53	53097	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:17.470582962 CET	49257	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:17.482456923 CET	53	49257	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:18.331350088 CET	62389	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:18.344394922 CET	53	62389	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:19.348400116 CET	49910	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:19.361630917 CET	53	49910	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:20.211576939 CET	55854	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:20.224864006 CET	53	55854	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:21.048191071 CET	64549	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:21.061738968 CET	53	64549	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:21.845335007 CET	63153	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:21.858378887 CET	53	63153	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:35.121257067 CET	52991	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:35.292083979 CET	53	52991	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:42.266710043 CET	53700	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:42.433168888 CET	53	53700	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:48.899710894 CET	51726	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:48.914328098 CET	53	51726	8.8.8.8	192.168.2.4
Feb 24, 2021 13:13:55.219964027 CET	56794	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:13:55.390961885 CET	53	56794	8.8.8.8	192.168.2.4
Feb 24, 2021 13:14:01.710227013 CET	56534	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:14:01.722053051 CET	53	56534	8.8.8.8	192.168.2.4
Feb 24, 2021 13:14:02.238163948 CET	56627	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:14:02.250988960 CET	53	56627	8.8.8.8	192.168.2.4
Feb 24, 2021 13:14:09.074867964 CET	56621	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:14:09.088027954 CET	53	56621	8.8.8.8	192.168.2.4
Feb 24, 2021 13:14:15.085726023 CET	63116	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:14:15.098505974 CET	53	63116	8.8.8.8	192.168.2.4
Feb 24, 2021 13:14:22.417701006 CET	64078	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:14:22.436132908 CET	53	64078	8.8.8.8	192.168.2.4
Feb 24, 2021 13:14:28.412439108 CET	64801	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:14:28.426688910 CET	53	64801	8.8.8.8	192.168.2.4
Feb 24, 2021 13:14:33.431617022 CET	61721	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:14:33.444726944 CET	53	61721	8.8.8.8	192.168.2.4
Feb 24, 2021 13:14:39.464747906 CET	51255	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:14:39.476856947 CET	53	51255	8.8.8.8	192.168.2.4
Feb 24, 2021 13:14:45.461611032 CET	61522	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:14:45.474519014 CET	53	61522	8.8.8.8	192.168.2.4
Feb 24, 2021 13:14:50.474667072 CET	52337	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:14:50.487652063 CET	53	52337	8.8.8.8	192.168.2.4
Feb 24, 2021 13:14:56.498562098 CET	55046	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:14:56.512487888 CET	53	55046	8.8.8.8	192.168.2.4
Feb 24, 2021 13:15:02.586545944 CET	49612	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:15:02.599725962 CET	53	49612	8.8.8.8	192.168.2.4
Feb 24, 2021 13:15:07.471865892 CET	49285	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:15:07.484658003 CET	53	49285	8.8.8.8	192.168.2.4
Feb 24, 2021 13:15:13.572782993 CET	50601	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:15:13.585798979 CET	53	50601	8.8.8.8	192.168.2.4
Feb 24, 2021 13:15:19.536489010 CET	60875	53	192.168.2.4	8.8.8.8
Feb 24, 2021 13:15:19.549335957 CET	53	60875	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Feb 24, 2021 13:13:35.121257067 CET	192.168.2.4	8.8.8.8	0x9539	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:13:42.266710043 CET	192.168.2.4	8.8.8.8	0x49ac	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:13:48.899710894 CET	192.168.2.4	8.8.8.8	0x4a5f	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:13:55.219964027 CET	192.168.2.4	8.8.8.8	0x63f9	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:02.238163948 CET	192.168.2.4	8.8.8.8	0x77ff	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:09.074867964 CET	192.168.2.4	8.8.8.8	0xb207	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:15.085726023 CET	192.168.2.4	8.8.8.8	0x490f	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:22.417701006 CET	192.168.2.4	8.8.8.8	0xfe97	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:28.412439108 CET	192.168.2.4	8.8.8.8	0x8800	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:33.431617022 CET	192.168.2.4	8.8.8.8	0x5374	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:39.464747906 CET	192.168.2.4	8.8.8.8	0x7d1	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:45.461611032 CET	192.168.2.4	8.8.8.8	0x8527	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:50.474667072 CET	192.168.2.4	8.8.8.8	0x967e	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:56.498562098 CET	192.168.2.4	8.8.8.8	0x5f52	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:15:02.586545944 CET	192.168.2.4	8.8.8.8	0x4721	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:15:07.471865892 CET	192.168.2.4	8.8.8.8	0xe71f	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:15:13.572782993 CET	192.168.2.4	8.8.8.8	0x8222	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)
Feb 24, 2021 13:15:19.536489010 CET	192.168.2.4	8.8.8.8	0x9f56	Standard query (0)	wilsonzz.webredirect.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Feb 24, 2021 13:13:35.292083979 CET	8.8.8.8	192.168.2.4	0x9539	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:13:42.433168888 CET	8.8.8.8	192.168.2.4	0x49ac	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:13:48.914328098 CET	8.8.8.8	192.168.2.4	0x4a5f	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:13:55.390961885 CET	8.8.8.8	192.168.2.4	0x63f9	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:02.250988960 CET	8.8.8.8	192.168.2.4	0x77ff	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:09.088027954 CET	8.8.8.8	192.168.2.4	0xb207	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:15.098505974 CET	8.8.8.8	192.168.2.4	0x490f	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:22.436132908 CET	8.8.8.8	192.168.2.4	0xfe97	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:28.426688910 CET	8.8.8.8	192.168.2.4	0x8800	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:33.444726944 CET	8.8.8.8	192.168.2.4	0x5374	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:39.476856947 CET	8.8.8.8	192.168.2.4	0x7d1	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:45.474519014 CET	8.8.8.8	192.168.2.4	0x8527	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:50.487652063 CET	8.8.8.8	192.168.2.4	0x967e	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:14:56.512487888 CET	8.8.8.8	192.168.2.4	0x5f52	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:15:02.599725962 CET	8.8.8.8	192.168.2.4	0x4721	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:15:07.484658003 CET	8.8.8.8	192.168.2.4	0xe71f	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:15:13.585798979 CET	8.8.8.8	192.168.2.4	0x8222	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)
Feb 24, 2021 13:15:19.549335957 CET	8.8.8.8	192.168.2.4	0x9f56	No error (0)	wilsonzz.webredirect.org	89.163.237.88	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: Items_02559-02663.pdf.exe PID: 1680 Parent PID: 5896

General

Start time:	13:13:11
Start date:	24/02/2021
Path:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\Items_02559-02663.pdf.exe'
Imagebase:	0x1e0000
File size:	770048 bytes
MD5 hash:	69B99B73945755DF4628529E5A1BF6F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.687231789.0000000003B89000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: schtasks.exe PID: 1900 Parent PID: 1680

General

Start time:	13:13:28
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmp71AB.tmp'
Imagebase:	0x230000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 3220 Parent PID: 1900

General

Start time:	13:13:28
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Items_02559-02663.pdf.exe PID: 2920 Parent PID: 1680

General

Start time:	13:13:29
Start date:	24/02/2021
Path:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
Wow64 process (32bit):	false
Commandline:	{path}
Imagebase:	0x3a0000
File size:	770048 bytes
MD5 hash:	69B99B73945755DF4628529E5A1BF6F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low

Analysis Process: Items_02559-02663.pdf.exe PID: 1440 Parent PID: 1680

General

Start time:	13:13:29
Start date:	24/02/2021
Path:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0x990000
File size:	770048 bytes
MD5 hash:	69B99B73945755DF4628529E5A1BF6F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.908925138.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.910239733.0000000002D61000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: schtasks.exe PID: 5716 Parent PID: 1440

General

Start time:	13:13:31
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'schtasks.exe' /create /f /tn 'DHCP Monitor' /xml 'C:\Users\user\AppData\Local\Temp\tmp1EF7.tmp'
Imagebase:	0x230000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 2860 Parent PID: 5716

General

Start time:	13:13:32
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Items_02559-02663.pdf.exe PID: 472 Parent PID: 968

General

Start time:	13:13:33
Start date:	24/02/2021
Path:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe 0
Imagebase:	0xf60000
File size:	770048 bytes
MD5 hash:	69B99B73945755DF4628529E5A1BF6F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000007.00000002.725225610.0000000004839000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Analysis Process: schtasks.exe PID: 5688 Parent PID: 472

General

Start time:	13:13:46
Start date:	24/02/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\jZWRPYaLXncddo' /XML 'C:\Users\user\AppData\Local\Temp\tmpBA1E.tmp'
Imagebase:	0x230000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: conhost.exe PID: 5912 Parent PID: 5688

General

Start time:	13:13:47
Start date:	24/02/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff724c50000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: Items_02559-02663.pdf.exe PID: 5880 Parent PID: 472

General

Start time:	13:13:47
Start date:	24/02/2021
Path:	C:\Users\user\Desktop\Items_02559-02663.pdf.exe
Wow64 process (32bit):	true
Commandline:	{path}
Imagebase:	0xcf0000
File size:	770048 bytes
MD5 hash:	69B99B73945755DF4628529E5A1BF6F8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.735464765.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.738210000.00000000041E9000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 0000000A.00000002.737807407.00000000031E1000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Disassembly

Code Analysis

Reset < >

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to achieve execution. WMI is a Windows administration feature that provides a uniform environment for local and remote access to Windows system components. It relies on the WMI service for local and remote access and the server message block (SMB) and Remote Procedure Call Service (RPCS) for remote access. RPCS operates over port 135.
Tactics:	Execution
Data Sources:	Authentication logs, Netflow/Enclave netflow, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Items_02559-02663.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Private

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Snort IDS Alerts

Network Port Distribution

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre