Play interactive tour

Edit tour

Analysis Report URGENTPURCHASEORDER.pdf.exe

Overview

General Information

Sample Name:	URGENTPURCHASEORDER.pdf.exe
Analysis ID:	384939
MD5:	5bee945f3539cde8ab9b042587aa2055
SHA1:	5387b06c509be731ce77ecab9719b68a8de1acf5
SHA256:	d060635884dda22139a083da8e1caff1c05f41f3b3ca36d901894c839e22243d
Tags:	exeNanoCoreRAT
Infos:
Most interesting Screenshot:

Detection

Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected Nanocore Rat

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Sigma detected: NanoCore

Sigma detected: Scheduled temp file as task from temp location

Yara detected AntiVM3

Yara detected Nanocore RAT

.NET source code contains potential unpacker

C2 URLs / IPs found in malware configuration

Initial sample is a PE file and has a suspicious name

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses an obfuscated file name to hide its real file extension (double extension)

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Writes to foreign memory regions

Antivirus or Machine Learning detection for unpacked file

Binary contains a suspicious time stamp

Contains capabilities to detect virtual machines

Contains functionality to call native functions

Contains long sleeps (>= 3 min)

Creates a DirectInput object (often for capturing keystrokes)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Installs a raw input device (often for capturing keystrokes)

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Startup

System is w10x64

URGENTPURCHASEORDER.pdf.exe (PID: 5596 cmdline: 'C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe' MD5: 5BEE945F3539CDE8AB9B042587AA2055)

schtasks.exe (PID: 2792 cmdline: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ewIkYvfY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD681.tmp' MD5: 15FF7D8324231381BAD48A052F85DF04)

conhost.exe (PID: 1724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

RegSvcs.exe (PID: 6036 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe MD5: 2867A3817C9245F7CF518524DFD18F28)

cleanup

Malware Configuration

Threatname: NanoCore

{"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Domain1": "185.140.53.138", "Domain2": "wealth2021.ddns.net", "Port": 20221, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
00000004.00000002.481258599.0000000005320000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000004.00000002.481258599.0000000005320000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
00000004.00000002.472813842.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000004.00000002.472813842.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.472813842.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000004.00000002.476797525.0000000002E71000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.244541522.00000000042CC000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x114765:$x1: NanoCore.ClientPluginHost 0x146f85:$x1: NanoCore.ClientPluginHost 0x1147a2:$x2: IClientNetworkHost 0x146fc2:$x2: IClientNetworkHost 0x1182d5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x14aaf5:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000000.00000002.244541522.00000000042CC000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000000.00000002.244541522.00000000042CC000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x1144cd:$a: NanoCore 0x1144dd:$a: NanoCore 0x114711:$a: NanoCore 0x114725:$a: NanoCore 0x114765:$a: NanoCore 0x146ced:$a: NanoCore 0x146cfd:$a: NanoCore 0x146f31:$a: NanoCore 0x146f45:$a: NanoCore 0x146f85:$a: NanoCore 0x11452c:$b: ClientPlugin 0x11472e:$b: ClientPlugin 0x11476e:$b: ClientPlugin 0x146d4c:$b: ClientPlugin 0x146f4e:$b: ClientPlugin 0x146f8e:$b: ClientPlugin 0x114653:$c: ProjectData 0x146e73:$c: ProjectData 0x11505a:$d: DESCrypto 0x14787a:$d: DESCrypto 0x11ca26:$e: KeepAlive
00000004.00000002.480543359.0000000003EAC000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000004.00000002.480543359.0000000003EAC000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xff25:$a: NanoCore 0xff7e:$a: NanoCore 0xffbb:$a: NanoCore 0x10034:$a: NanoCore 0x236df:$a: NanoCore 0x236f4:$a: NanoCore 0x23729:$a: NanoCore 0x3c1ab:$a: NanoCore 0x3c1c0:$a: NanoCore 0x3c1f5:$a: NanoCore 0xff87:$b: ClientPlugin 0xffc4:$b: ClientPlugin 0x108c2:$b: ClientPlugin 0x108cf:$b: ClientPlugin 0x2349b:$b: ClientPlugin 0x234b6:$b: ClientPlugin 0x234e6:$b: ClientPlugin 0x236fd:$b: ClientPlugin 0x23732:$b: ClientPlugin 0x3bf67:$b: ClientPlugin 0x3bf82:$b: ClientPlugin
00000004.00000002.481272072.0000000005330000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
00000004.00000002.481272072.0000000005330000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
00000004.00000002.481272072.0000000005330000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6036	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x429f7:$x1: NanoCore.ClientPluginHost 0x6ff50:$x1: NanoCore.ClientPluginHost 0x180670:$x1: NanoCore.ClientPluginHost 0x18622f:$x1: NanoCore.ClientPluginHost 0x1970bd:$x1: NanoCore.ClientPluginHost 0x42a1d:$x2: IClientNetworkHost 0x6ffb1:$x2: IClientNetworkHost 0x180696:$x2: IClientNetworkHost 0x186274:$x2: IClientNetworkHost 0x197102:$x2: IClientNetworkHost 0x753b6:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x83328:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
Process Memory Space: RegSvcs.exe PID: 6036	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
Process Memory Space: RegSvcs.exe PID: 6036	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x355d5:$a: NanoCore 0x3563c:$a: NanoCore 0x356df:$a: NanoCore 0x428e9:$a: NanoCore 0x4298a:$a: NanoCore 0x429f7:$a: NanoCore 0x42ab8:$a: NanoCore 0x43989:$a: NanoCore 0x439dc:$a: NanoCore 0x43a15:$a: NanoCore 0x43a88:$a: NanoCore 0x6fa55:$a: NanoCore 0x6fa71:$a: NanoCore 0x6fbcc:$a: NanoCore 0x6fbdb:$a: NanoCore 0x6feb4:$a: NanoCore 0x6fee0:$a: NanoCore 0x6ff50:$a: NanoCore 0x7f992:$a: NanoCore 0x7f9a4:$a: NanoCore 0x7f9e0:$a: NanoCore
Process Memory Space: URGENTPURCHASEORDER.pdf.exe PID: 5596	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Click to see the 14 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.RegSvcs.exe.5320000.6.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.RegSvcs.exe.5320000.6.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
4.2.RegSvcs.exe.3ebb146.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0x145e3:$x1: NanoCore.ClientPluginHost 0x2d0af:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost 0x14610:$x2: IClientNetworkHost 0x2d0dc:$x2: IClientNetworkHost
4.2.RegSvcs.exe.3ebb146.2.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x145e3:$x2: NanoCore.ClientPluginHost 0x2d0af:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0x156be:$s4: PipeCreated 0x2e18a:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost 0x145fd:$s5: IClientLoggingHost 0x2d0c9:$s5: IClientLoggingHost
4.2.RegSvcs.exe.3ebb146.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.3ebb146.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xddf:$a: NanoCore 0xe38:$a: NanoCore 0xe75:$a: NanoCore 0xeee:$a: NanoCore 0x14599:$a: NanoCore 0x145ae:$a: NanoCore 0x145e3:$a: NanoCore 0x2d065:$a: NanoCore 0x2d07a:$a: NanoCore 0x2d0af:$a: NanoCore 0xe41:$b: ClientPlugin 0xe7e:$b: ClientPlugin 0x177c:$b: ClientPlugin 0x1789:$b: ClientPlugin 0x14355:$b: ClientPlugin 0x14370:$b: ClientPlugin 0x143a0:$b: ClientPlugin 0x145b7:$b: ClientPlugin 0x145ec:$b: ClientPlugin 0x2ce21:$b: ClientPlugin 0x2ce3c:$b: ClientPlugin
4.2.RegSvcs.exe.5334629.7.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost
4.2.RegSvcs.exe.5334629.7.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost
4.2.RegSvcs.exe.5334629.7.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
4.2.RegSvcs.exe.400000.0.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xff05:$x1: NanoCore Client.exe 0x1018d:$x2: NanoCore.ClientPluginHost 0x117c6:$s1: PluginCommand 0x117ba:$s2: FileCommand 0x1266b:$s3: PipeExists 0x18422:$s4: PipeCreated 0x101b7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.400000.0.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.400000.0.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x1007b:$c: ProjectData 0x10a82:$d: DESCrypto 0x1844e:$e: KeepAlive 0x1643c:$g: LogClientMessage 0x12637:$i: get_Connected 0x10db8:$j: #=q 0x10de8:$j: #=q 0x10e04:$j: #=q 0x10e34:$j: #=q 0x10e50:$j: #=q 0x10e6c:$j: #=q 0x10e9c:$j: #=q 0x10eb8:$j: #=q
4.2.RegSvcs.exe.3ebff7c.3.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.RegSvcs.exe.3ebff7c.3.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.3ebff7c.3.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.5330000.8.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xd9ad:$x1: NanoCore.ClientPluginHost 0xd9da:$x2: IClientNetworkHost
4.2.RegSvcs.exe.5330000.8.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xd9ad:$x2: NanoCore.ClientPluginHost 0xea88:$s4: PipeCreated 0xd9c7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.5330000.8.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.3ebff7c.3.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0x28279:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost 0x282a6:$x2: IClientNetworkHost
4.2.RegSvcs.exe.3ebff7c.3.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x28279:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0x29354:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost 0x28293:$s5: IClientLoggingHost
4.2.RegSvcs.exe.3ebff7c.3.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe38d:$x1: NanoCore.ClientPluginHost 0xe3ca:$x2: IClientNetworkHost 0x11efd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe105:$x1: NanoCore Client.exe 0xe38d:$x2: NanoCore.ClientPluginHost 0xf9c6:$s1: PluginCommand 0xf9ba:$s2: FileCommand 0x1086b:$s3: PipeExists 0x16622:$s4: PipeCreated 0xe3b7:$s5: IClientLoggingHost
0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xe0f5:$a: NanoCore 0xe105:$a: NanoCore 0xe339:$a: NanoCore 0xe34d:$a: NanoCore 0xe38d:$a: NanoCore 0xe154:$b: ClientPlugin 0xe356:$b: ClientPlugin 0xe396:$b: ClientPlugin 0xe27b:$c: ProjectData 0xec82:$d: DESCrypto 0x1664e:$e: KeepAlive 0x1463c:$g: LogClientMessage 0x10837:$i: get_Connected 0xefb8:$j: #=q 0xefe8:$j: #=q 0xf004:$j: #=q 0xf034:$j: #=q 0xf050:$j: #=q 0xf06c:$j: #=q 0xf09c:$j: #=q 0xf0b8:$j: #=q
4.2.RegSvcs.exe.2e9ccfc.1.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
4.2.RegSvcs.exe.2e9ccfc.1.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
4.2.RegSvcs.exe.5330000.8.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xf7ad:$x1: NanoCore.ClientPluginHost 0xf7da:$x2: IClientNetworkHost
4.2.RegSvcs.exe.5330000.8.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xf7ad:$x2: NanoCore.ClientPluginHost 0x10888:$s4: PipeCreated 0xf7c7:$s5: IClientLoggingHost
4.2.RegSvcs.exe.5330000.8.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
4.2.RegSvcs.exe.3ec45a5.4.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xb184:$x1: NanoCore.ClientPluginHost 0x23c50:$x1: NanoCore.ClientPluginHost 0xb1b1:$x2: IClientNetworkHost 0x23c7d:$x2: IClientNetworkHost
4.2.RegSvcs.exe.3ec45a5.4.raw.unpack	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xb184:$x2: NanoCore.ClientPluginHost 0x23c50:$x2: NanoCore.ClientPluginHost 0xc25f:$s4: PipeCreated 0x24d2b:$s4: PipeCreated 0xb19e:$s5: IClientLoggingHost 0x23c6a:$s5: IClientLoggingHost
4.2.RegSvcs.exe.3ec45a5.4.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.raw.unpack	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1018d:$x1: NanoCore.ClientPluginHost 0x429ad:$x1: NanoCore.ClientPluginHost 0x101ca:$x2: IClientNetworkHost 0x429ea:$x2: IClientNetworkHost 0x13cfd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe 0x4651d:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.raw.unpack	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.raw.unpack	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfef5:$a: NanoCore 0xff05:$a: NanoCore 0x10139:$a: NanoCore 0x1014d:$a: NanoCore 0x1018d:$a: NanoCore 0x42715:$a: NanoCore 0x42725:$a: NanoCore 0x42959:$a: NanoCore 0x4296d:$a: NanoCore 0x429ad:$a: NanoCore 0xff54:$b: ClientPlugin 0x10156:$b: ClientPlugin 0x10196:$b: ClientPlugin 0x42774:$b: ClientPlugin 0x42976:$b: ClientPlugin 0x429b6:$b: ClientPlugin 0x1007b:$c: ProjectData 0x4289b:$c: ProjectData 0x10a82:$d: DESCrypto 0x432a2:$d: DESCrypto 0x1844e:$e: KeepAlive
Click to see the 32 entries

Sigma Overview

System Summary:

Sigma detected: NanoCore

Show sources

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, ProcessId: 6036, TargetFilename: C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat

Sigma detected: Scheduled temp file as task from temp location

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ewIkYvfY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD681.tmp', CommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ewIkYvfY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD681.tmp', CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: 'C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe' , ParentImage: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe, ParentProcessId: 5596, ProcessCommandLine: 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ewIkYvfY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD681.tmp', ProcessId: 2792

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Found malware configuration

Show sources

Source: 00000004.00000002.480543359.0000000003EAC000.00000004.00000001.sdmp

Malware Configuration Extractor: NanoCore {"Version": "1.2.2.0", "Mutex": "6f656d69-7475-8807-1300-000c0a4c", "Domain1": "185.140.53.138", "Domain2": "wealth2021.ddns.net", "Port": 20221, "KeyboardLogging": "Enable", "RunOnStartup": "Disable", "RequestElevation": "Disable", "BypassUAC": "Disable", "ClearZoneIdentifier": "Disable", "ClearAccessControl": "Disable", "SetCriticalProcess": "Disable", "PreventSystemSleep": "Disable", "ActivateAwayMode": "Disable", "EnableDebugMode": "Disable", "RunDelay": 0, "ConnectDelay": 4000, "RestartDelay": 5000, "TimeoutInterval": 5000, "KeepAliveTimeout": 30000, "MutexTimeout": 5000, "LanTimeout": 2500, "WanTimeout": 8000, "BufferSize": "ffff0000", "MaxPacketSize": "0000a000", "GCThreshold": "0000a000", "UseCustomDNS": "Enable", "PrimaryDNSServer": "8.8.8.8", "BackupDNSServer": "8.8.4.4"}

Multi AV Scanner detection for submitted file

Show sources

Source: URGENTPURCHASEORDER.pdf.exe

Virustotal: Detection: 26%

Perma Link

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.472813842.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476797525.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244541522.00000000042CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.480543359.0000000003EAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.481272072.0000000005330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6036, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.3ebb146.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5334629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ebff7c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5330000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ebff7c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5330000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ec45a5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.raw.unpack, type: UNPACKEDPE

Source: 4.2.RegSvcs.exe.400000.0.unpack	Avira: Label: TR/Dropper.MSIL.Gen7
Source: 4.2.RegSvcs.exe.5330000.8.unpack	Avira: Label: TR/NanoCore.fadte

Source: URGENTPURCHASEORDER.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: URGENTPURCHASEORDER.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0322A278
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0322A269
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0322B8E0
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 4x nop then mov dword ptr [ebp-18h], 00000000h	0_2_0322B8C9

Networking:

C2 URLs / IPs found in malware configuration

Show sources

Source: Malware configuration extractor	URLs: wealth2021.ddns.net
Source: Malware configuration extractor	URLs: 185.140.53.138

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: wealth2021.ddns.net

Source: global traffic

TCP traffic: 192.168.2.3:49719 -> 185.140.53.138:20221

Source: Joe Sandbox View

IP Address: 185.140.53.138 185.140.53.138

Source: Joe Sandbox View

ASN Name: DAVID_CRAIGGG DAVID_CRAIGGG

Source: unknown

DNS traffic detected: queries for: wealth2021.ddns.net

Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp, URGENTPURCHASEORDER.pdf.exe, 00000000.00000003.207529567.000000000629B000.00000004.00000001.sdmp	String found in binary or memory: http://fontfabrik.com
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244242727.0000000003378000.00000004.00000001.sdmp, URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244148891.00000000032C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244242727.0000000003378000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.carterandcone.coml
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/?
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers8
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designers?
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.fontbureau.com/designersG
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.243967401.0000000001917000.00000004.00000040.sdmp	String found in binary or memory: http://www.fontbureau.coma
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000003.207232444.000000000629B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.com
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000003.207205164.000000000629B000.00000004.00000001.sdmp	String found in binary or memory: http://www.fonts.comc
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000003.209079914.000000000628C000.00000004.00000001.sdmp	String found in binary or memory: http://www.founder.com.cn/cny
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.goodfont.co.kr
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.sajatypeworks.com
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.sakkal.com
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.sandoll.co.kr
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.com
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000003.207529567.000000000629B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comlic
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000003.208137460.000000000629B000.00000004.00000001.sdmp	String found in binary or memory: http://www.tiro.comn
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.typography.netD
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.urwpp.deDPlease
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	String found in binary or memory: http://www.zhongyicts.com.cn
Source: URGENTPURCHASEORDER.pdf.exe	String found in binary or memory: https://discord.gg/uMe7S9Q
Source: URGENTPURCHASEORDER.pdf.exe	String found in binary or memory: https://github.com/owhenky/IViewBasic
Source: URGENTPURCHASEORDER.pdf.exe	String found in binary or memory: https://github.com/owhenky/IViewBasic5https://discord.gg/uMe7S9QU495374727563747572616C436F6D7061726
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	String found in binary or memory: https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css

Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.243707217.0000000001528000.00000004.00000020.sdmp

Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

Source: RegSvcs.exe, 00000004.00000002.480543359.0000000003EAC000.00000004.00000001.sdmp

Binary or memory string: RegisterRawInputDevices

E-Banking Fraud:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.472813842.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476797525.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244541522.00000000042CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.480543359.0000000003EAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.481272072.0000000005330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6036, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.3ebb146.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5334629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ebff7c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5330000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ebff7c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5330000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ec45a5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.raw.unpack, type: UNPACKEDPE

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 00000004.00000002.481258599.0000000005320000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.472813842.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000004.00000002.472813842.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.244541522.00000000042CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000000.00000002.244541522.00000000042CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.480543359.0000000003EAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000004.00000002.481272072.0000000005330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 6036, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: Process Memory Space: RegSvcs.exe PID: 6036, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.5320000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.3ebb146.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.3ebb146.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.5334629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.3ebff7c.3.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.5330000.8.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.3ebff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 4.2.RegSvcs.exe.2e9ccfc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.5330000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 4.2.RegSvcs.exe.3ec45a5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Initial sample is a PE file and has a suspicious name

Show sources

Source: initial sample	Static PE information: Filename: URGENTPURCHASEORDER.pdf.exe
Source: initial sample	Static PE information: Filename: URGENTPURCHASEORDER.pdf.exe

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

Code function: 0_2_07875ACC NtQueryInformationProcess,

0_2_07875ACC

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_00EBC0EF	0_2_00EBC0EF
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_00EB4DCA	0_2_00EB4DCA
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_00EBECCE	0_2_00EBECCE
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_00EB79AB	0_2_00EB79AB
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_018FB264	0_2_018FB264
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_018FDF50	0_2_018FDF50
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_018FC2B0	0_2_018FC2B0
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_018FB258	0_2_018FB258
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_018F9990	0_2_018F9990
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03225340	0_2_03225340
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03225A58	0_2_03225A58
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03226070	0_2_03226070
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03220040	0_2_03220040
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_032288CC	0_2_032288CC
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03226F58	0_2_03226F58
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_0322A7A8	0_2_0322A7A8
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03225330	0_2_03225330
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03226B09	0_2_03226B09
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03226B18	0_2_03226B18
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_032263E8	0_2_032263E8
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_032263F8	0_2_032263F8
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03228A08	0_2_03228A08
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03225A48	0_2_03225A48
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03227183	0_2_03227183
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_032271EA	0_2_032271EA
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_032219C7	0_2_032219C7
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_032271DB	0_2_032271DB
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_032219D8	0_2_032219D8
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03220006	0_2_03220006
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03226062	0_2_03226062
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03226F48	0_2_03226F48
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03222EF0	0_2_03222EF0
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03222EDF	0_2_03222EDF
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03223508	0_2_03223508
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03221CA0	0_2_03221CA0
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03221CB0	0_2_03221CB0
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_032214E8	0_2_032214E8
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_032214F8	0_2_032214F8
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_0787E5A0	0_2_0787E5A0
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_078704E0	0_2_078704E0
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_07877280	0_2_07877280
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_07874098	0_2_07874098
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_07875ED8	0_2_07875ED8
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_07877CA0	0_2_07877CA0
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_07873CB0	0_2_07873CB0
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_07876AE0	0_2_07876AE0
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_07877722	0_2_07877722
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_07877730	0_2_07877730
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_07877488	0_2_07877488
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_07877270	0_2_07877270
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_0787B1E2	0_2_0787B1E2
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_0787B1F0	0_2_0787B1F0
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_07874088	0_2_07874088
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_00EB356B	0_2_00EB356B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02C7E480	4_2_02C7E480
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02C7E471	4_2_02C7E471
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02C7BBD4	4_2_02C7BBD4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02E49788	4_2_02E49788
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02E4F5F8	4_2_02E4F5F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02E4A610	4_2_02E4A610

Source: URGENTPURCHASEORDER.pdf.exe	Binary or memory string: OriginalFilename vs URGENTPURCHASEORDER.pdf.exe
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.253939099.000000000F360000.00000002.00000001.sdmp	Binary or memory string: originalfilename vs URGENTPURCHASEORDER.pdf.exe
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.253939099.000000000F360000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamepropsys.dll.mui@ vs URGENTPURCHASEORDER.pdf.exe
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.243274591.0000000000EB2000.00000002.00020000.sdmp	Binary or memory string: OriginalFilenameIVectorViewToIBindableVectorViewAdapter.exe: vs URGENTPURCHASEORDER.pdf.exe
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.253061420.0000000009170000.00000002.00000001.sdmp	Binary or memory string: OriginalFilenamemscorrc.dllT vs URGENTPURCHASEORDER.pdf.exe
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.252298067.0000000007A10000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameDSASignature.dll" vs URGENTPURCHASEORDER.pdf.exe
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.243707217.0000000001528000.00000004.00000020.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs URGENTPURCHASEORDER.pdf.exe
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.252266939.0000000007880000.00000004.00000001.sdmp	Binary or memory string: OriginalFilenameSimpleUI.dll2 vs URGENTPURCHASEORDER.pdf.exe
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.253732185.000000000F270000.00000002.00000001.sdmp	Binary or memory string: System.OriginalFileName vs URGENTPURCHASEORDER.pdf.exe
Source: URGENTPURCHASEORDER.pdf.exe	Binary or memory string: OriginalFilenameIVectorViewToIBindableVectorViewAdapter.exe: vs URGENTPURCHASEORDER.pdf.exe

Source: URGENTPURCHASEORDER.pdf.exe

Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE

Source: 00000004.00000002.481258599.0000000005320000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.481258599.0000000005320000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000004.00000002.472813842.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.472813842.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000000.00000002.244541522.00000000042CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000000.00000002.244541522.00000000042CC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.480543359.0000000003EAC000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000004.00000002.481272072.0000000005330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000004.00000002.481272072.0000000005330000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: Process Memory Space: RegSvcs.exe PID: 6036, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: Process Memory Space: RegSvcs.exe PID: 6036, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.5320000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5320000.6.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3ebb146.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.3ebb146.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3ebb146.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.5334629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5334629.7.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.3ebff7c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.3ebff7c.3.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5330000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5330000.8.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3ebff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.3ebff7c.3.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 4.2.RegSvcs.exe.2e9ccfc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.2e9ccfc.1.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.5330000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.5330000.8.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 4.2.RegSvcs.exe.3ec45a5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 4.2.RegSvcs.exe.3ec45a5.4.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.raw.unpack, type: UNPACKEDPE	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: URGENTPURCHASEORDER.pdf.exe	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: ewIkYvfY.exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqVxXNKnhAcArgJoGGYXiyyQu003du003d.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@6/5@10/1

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

File created: C:\Users\user\AppData\Roaming\ewIkYvfY.exe

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1724:120:WilError_01
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Mutant created: \Sessions\1\BaseNamedObjects\utKpvRYeYh
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\{ae697278-0563-480d-a326-4f0ab2164ba0}

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

File created: C:\Users\user\AppData\Local\Temp\tmpD681.tmp

Jump to behavior

Source: URGENTPURCHASEORDER.pdf.exe

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll			Jump to behavior

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: Select * from UnmanagedMemoryStreamWrapper WHERE modelo=@modelo;?
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: Select * from Clientes WHERE id=@id;;
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: Select * from Aluguel5Erro ao listar Banco sql-UnmanagedMemoryStreamWrapper.INSERT INTO Aluguel VALUES(@clienteID, @data);
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO UnmanagedMemoryStreamWrapper VALUES(@modelo, @fabricante, @ano, @cor);
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Itens_Aluguel VALUES(@aluguelID, @aviaoID, @validade);
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: Insert into Clientes values (@nome, @cpf, @rg, @cidade, @endereco, @uf, @telefone);
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: INSERT INTO Aluguel VALUES(@clienteID, @data);

Source: URGENTPURCHASEORDER.pdf.exe

Virustotal: Detection: 26%

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

File read: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe 'C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe'
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ewIkYvfY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD681.tmp'
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ewIkYvfY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD681.tmp'	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Jump to behavior

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{95E15D0A-66E6-93D9-C53C-76E6219D3341}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: URGENTPURCHASEORDER.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: URGENTPURCHASEORDER.pdf.exe

Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT

Source: URGENTPURCHASEORDER.pdf.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqjIje6jGWLd2EOkfZXKqBbgu003du003d.cs	.Net Code: #=q_FL69pQf17BUSAFbWYu1SStMAbdu$R1GJ8VY8UL5_EA= System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqxoz66kOqvxr21iYXZYXWiumy9eZGwFWaiX4C5X8aecUu003d.cs	.Net Code: #=qKU0J1fiP8KA33eFK1owekQ== System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])

Source: URGENTPURCHASEORDER.pdf.exe

Static PE information: 0xEDF3B22F [Tue Jul 3 16:24:15 2096 UTC]

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_00EBF329 push cs; ret	0_2_00EBF4B8
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Code function: 0_2_03220CB2 pushfd ; iretd	0_2_03220CF9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02E4A20C push FFFFFF8Bh; iretd	4_2_02E4A1CC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Code function: 4_2_02E469F8 pushad ; retf	4_2_02E469F9

Source: initial sample	Static PE information: section name: .text entropy: 7.84426548095
Source: initial sample	Static PE information: section name: .text entropy: 7.84426548095

Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqJT4I5hOweIku0024xYFEeDszbikglXCuquUdu0024v9AXtyq2nsu003d.cs	High entropy of concatenated method names: '#=qBeOBlH6CwHFnQdZWWBgZ_pemudZ6CfCVcfOQtgpeG$Y=', '#=q5v5cLSMFBaxiTtOEjscx86gN2ozXlfytiL6UmXnyWtg=', '#=q_XA5h2lVGHLcY9dK754wKGrOjAm6aBbwPxcUJXgJThJUz83kMbCL53G5uuOLP6Rq', '#=qIFfr$DrKqIieRc688$vylAlBsEnx9Z3$TxvrDsPURfM=', '#=qejgvNXJQvgM2GomZsygLjreyguSPQ29pQHqjR_a0dWk=', '#=qCGokdf0OOxeMJLDkXSfc3NPmwygIQ29RjKQWj$wbNGB9C1pPgma_891QiNyTRXcA', '#=qDqyUVyJLXCtYqhZ0$opqkomqhUBn2WCeEEvGAXlNQ$I=', '#=qdImPAY1o3YhbLtukwCQ91cISaeIEWRKSYrGZ3dTVnkY=', '#=qza7O1AHrroJC7yRIJz4wINR_Sgo4hDpQrj_OYfIrlJE=', '#=q6Ct3QmvVLFC7my$dL1uEiHGmXJ5qCuK4WIhDwfhPTFs='
Source: 4.2.RegSvcs.exe.400000.0.unpack, u0023u003dqWrm21vQ8CBMZP_RBTwpusAu003du003d.cs	High entropy of concatenated method names: '#=qCgU$tDqtOAyz2b$RwfSF7UzBcCAr0rFJWxm16x7Lre0=', '#=qeD3MBfedCIuKIQf9V1u2N3YS4VXE_FOHqw_XAjWtZK8=', '#=q$mvEHEBkZud$AdHPWqsMQnw5Xm5sD4vBSSmqrKuXGOk=', '#=qZaN94n8dM6tBEf$qCdY2kbTZb5BOW8Z134$2tNv7EJs=', '#=qtlZnL8mho$rv1eTFz0Mw9UYFC_yCabEZ0xtVePn6wR5aSHE7ti3UfKg2l7D0_xk8', '#=qVS$QmQjvFfsXSqQAKGSl6HGbkse2SG0XCab4upVjtRJkvhTEk$oIS2I9Zja7id1Q', '#=qxJg7RxTW1v5mnt12xXeJiYJv_bcctbtL2BCD5MjDi45Hlz6t8vwDNTv1Rv7tgIct', '#=qp$ZVC1r9spi890l$D7IwEd3faoKeWHvv42mVq8wIIWM=', '#=qCoWHlVuoVRMkOzC7RZubJCslkxaEWn9yZiIydECf69$ktj0IPD5wAwC2H5Cc8C$L', '#=qqs1moO$mYaS72OXOWe0Z6GycslEb6e9Ipoy7ppW0O5abIp05ajv8doqdJZHlN3cK'

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

File created: C:\Users\user\AppData\Roaming\ewIkYvfY.exe

Jump to dropped file

Boot Survival:

Uses schtasks.exe or at.exe to add and modify task schedules

Show sources

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ewIkYvfY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD681.tmp'

Hooking and other Techniques for Hiding and Protection:

Uses an obfuscated file name to hide its real file extension (double extension)

Show sources

Source: Possible double extension: pdf.exe

Static PE information: URGENTPURCHASEORDER.pdf.exe

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Yara detected AntiVM3

Show sources

Source: Yara match	File source: 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: URGENTPURCHASEORDER.pdf.exe PID: 5596, type: MEMORY

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: WINE_GET_UNIX_FILE_NAME
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: SBIEDLL.DLL

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}

Jump to behavior

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 4460	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: threadDelayed 5221	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Window / User API: foregroundWindowGot 885	Jump to behavior

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe TID: 6132	Thread sleep time: -103764s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe TID: 5604	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Thread delayed: delay time: 103764	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.481804862.00000000067D0000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: SOFTWARE\VMware, Inc.\VMware Tools
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II!Add-MpPreference -ExclusionPath "
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.253258204.0000000009263000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\.
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: VMWARE
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: InstallPath%C:\PROGRAM FILES\VMWARE\VMWARE TOOLS\
Source: RegSvcs.exe, 00000004.00000002.481804862.00000000067D0000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: RegSvcs.exe, 00000004.00000002.481804862.00000000067D0000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: VMWARE"SOFTWARE\VMware, Inc.\VMware ToolsLHARDWARE\DEVICEMAP\Scsi\Scsi Port 1\Scsi Bus 0\Target Id 0\Logical Unit Id 0LHARDWARE\DEVICEMAP\Scsi\Scsi Port 2\Scsi Bus 0\Target Id 0\Logical Unit Id 0'SYSTEM\ControlSet001\Services\Disk\Enum
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: VMware SVGA II
Source: URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	Binary or memory string: vmwareNSYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000
Source: RegSvcs.exe, 00000004.00000002.481804862.00000000067D0000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Show sources

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 420000	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: DEF008	Jump to behavior

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process created: C:\Windows\SysWOW64\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ewIkYvfY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD681.tmp'			Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe			Jump to behavior

Source: RegSvcs.exe, 00000004.00000002.481684048.00000000062ED000.00000004.00000001.sdmp	Binary or memory string: Program Manager
Source: RegSvcs.exe, 00000004.00000002.476887590.0000000002EDC000.00000004.00000001.sdmp	Binary or memory string: Program Managerd
Source: RegSvcs.exe, 00000004.00000002.476183384.0000000001790000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: RegSvcs.exe, 00000004.00000002.476183384.0000000001790000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: RegSvcs.exe, 00000004.00000002.476887590.0000000002EDC000.00000004.00000001.sdmp	Binary or memory string: Program Manager0
Source: RegSvcs.exe, 00000004.00000002.476183384.0000000001790000.00000002.00000001.sdmp	Binary or memory string: Progmanlock
Source: RegSvcs.exe, 00000004.00000002.481792108.000000000654E000.00000004.00000010.sdmp	Binary or memory string: lProgram Manager

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Runtime.Remoting\v4.0_4.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.472813842.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476797525.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244541522.00000000042CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.480543359.0000000003EAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.481272072.0000000005330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6036, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.3ebb146.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5334629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ebff7c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5330000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ebff7c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5330000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ec45a5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.raw.unpack, type: UNPACKEDPE

Remote Access Functionality:

Detected Nanocore Rat

Show sources

Source: RegSvcs.exe, 00000004.00000002.476797525.0000000002E71000.00000004.00000001.sdmp	String found in binary or memory: NanoCore.ClientPluginHost
Source: RegSvcs.exe, 00000004.00000002.476797525.0000000002E71000.00000004.00000001.sdmp	String found in binary or memory: <Module>mscorlibMicrosoft.VisualBasicMyApplicationNanoCore.MyMyComputerMyProjectMyWebServicesThreadSafeObjectProvider`1IClientNetworkNanoCore.ClientPluginIClientDataIClientAppIClientDataHostNanoCore.ClientPluginHostIClientNetworkHostIClientUIHostIClientLoggingHostIClientAppHostIClientNameObjectCollectionNanoCoreIClientReadOnlyNameObjectCollectionClientInvokeDelegateMicrosoft.VisualBasic.ApplicationServicesApplicationBase.ctorMicrosoft.VisualBasic.DevicesComputerSystemObject.cctorget_Computerm_ComputerObjectProviderget_Applicationm_AppObjectProviderUserget_Userm_UserObjectProviderget_WebServicesm_MyWebServicesObjectProviderApplicationWebServicesEqualsoGetHashCodeTypeGetTypeToStringCreate__Instance__TinstanceDispose__Instance__get_GetInstanceMicrosoft.VisualBasic.MyServices.InternalContextValue`1m_ContextGetInstanceReadPacketpipeNameparamsPipeCreatedPipeClosedConnectionStateChangedconnectedConnectionFailedhostportBuildingHostCacheVariableChangednameClientSettingChangedPluginUninstallingClientUninstallingget_Variablesget_ClientSettingsget_BuilderSettingsVariablesClientSettingsBuilderSettingsget_ConnectedClosePipePipeExistsRebuildHostCacheAddHostEntryDisconnectSendToServercompressConnectedInvokemethodstateLogClientMessagemessageExceptionLogClientExceptionexsiteRestartShutdownDisableProtectionRestoreProtectionUninstallEntryExistsSystem.Collections.GenericKeyValuePair`2GetEntriesGetValuedefaultValueSetValuevalueRemoveValueMulticastDelegateTargetObjectTargetMethodIAsyncResultAsyncCallbackBeginInvokeDelegateCallbackDelegateAsyncStateEndInvokeDelegateAsyncResultSystem.ComponentModelEditorBrowsableAttributeEditorBrowsableStateSystem.CodeDom.CompilerGeneratedCodeAttributeSystem.DiagnosticsDebuggerHiddenAttributeMicrosoft.VisualBasic.CompilerServicesStandardModuleAttributeHideModuleNameAttributeSystem.ComponentModel.DesignHelpKeywordAttributeSystem.Runtime.CompilerServicesRuntimeHelpersGetObjectValueRuntimeTypeHandleGetTypeFromHandleActivatorCreateInstanceMyGroupCollectionAttributeget_Valueset_ValueSystem.Runtime.InteropServicesComVisibleAttributeParamArrayAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeSystem.ReflectionAssemblyFileVersionAttributeGuidAttributeAssemblyTrademarkAttributeAssemblyCopyrightAttributeAssemblyProductAttributeAssemblyCompanyAttributeAssemblyDescriptionAttributeAssemblyTitleAttributeClientPluginClientPlugin.dll

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000004.00000002.472813842.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.476797525.0000000002E71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.244541522.00000000042CC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.480543359.0000000003EAC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.481272072.0000000005330000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegSvcs.exe PID: 6036, type: MEMORY
Source: Yara match	File source: 4.2.RegSvcs.exe.3ebb146.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5334629.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ebff7c.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5330000.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ebff7c.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.5330000.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.RegSvcs.exe.3ec45a5.4.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.URGENTPURCHASEORDER.pdf.exe.43d05d8.2.raw.unpack, type: UNPACKEDPE

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scheduled Task/Job1	Scheduled Task/Job1	Process Injection212	Masquerading11	Input Capture21	Security Software Discovery111	Remote Services	Input Capture21	Exfiltration Over Other Network Medium	Encrypted Channel1	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Scheduled Task/Job1	Disable or Modify Tools1	LSASS Memory	Process Discovery2	Remote Desktop Protocol	Archive Collected Data11	Exfiltration Over Bluetooth	Non-Standard Port1	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	Virtualization/Sandbox Evasion31	Security Account Manager	Virtualization/Sandbox Evasion31	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	Remote Access Software1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	Process Injection212	NTDS	Application Window Discovery1	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol1	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Deobfuscate/Decode Files or Information1	LSA Secrets	File and Directory Discovery1	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol21	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Obfuscated Files or Information13	Cached Domain Credentials	System Information Discovery12	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Software Packing13	DCSync	Network Sniffing	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Timestomp1	Proc Filesystem	Network Service Scanning	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
URGENTPURCHASEORDER.pdf.exe	26%	Virustotal		Browse
URGENTPURCHASEORDER.pdf.exe	14%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Roaming\ewIkYvfY.exe	14%	ReversingLabs	ByteCode-MSIL.Trojan.Taskun

Unpacked PE Files

Source	Detection	Scanner	Label	Link	Download
4.2.RegSvcs.exe.400000.0.unpack	100%	Avira	TR/Dropper.MSIL.Gen7		Download File
4.2.RegSvcs.exe.5330000.8.unpack	100%	Avira	TR/NanoCore.fadte		Download File

Domains

Source	Detection	Scanner	Label	Link
wealth2021.ddns.net	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.fonts.comc	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/bThe	0%	URL Reputation	safe
https://discord.gg/uMe7S9Q	0%	Avira URL Cloud	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.tiro.comn	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.com	0%	URL Reputation	safe
http://www.tiro.comlic	0%	URL Reputation	safe
http://www.tiro.comlic	0%	URL Reputation	safe
http://www.tiro.comlic	0%	URL Reputation	safe
http://www.tiro.comlic	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.goodfont.co.kr	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.fontbureau.coma	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.carterandcone.coml	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.sajatypeworks.com	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.typography.netD	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.founder.com.cn/cn/cThe	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://www.galapagosdesign.com/staff/dennis.htm	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://fontfabrik.com	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
http://www.founder.com.cn/cn	0%	URL Reputation	safe
wealth2021.ddns.net	0%	Virustotal		Browse
wealth2021.ddns.net	0%	Avira URL Cloud	safe
http://www.founder.com.cn/cny	0%	Avira URL Cloud	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.jiyu-kobo.co.jp/	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.galapagosdesign.com/DPlease	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.sandoll.co.kr	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.urwpp.deDPlease	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.zhongyicts.com.cn	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
http://www.sakkal.com	0%	URL Reputation	safe
185.140.53.138	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
wealth2021.ddns.net	185.140.53.138	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
wealth2021.ddns.net	true	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
185.140.53.138	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.apache.org/licenses/LICENSE-2.0	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designersG	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false		high
http://www.fontbureau.com/designers/?	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false		high
http://www.fonts.comc	URGENTPURCHASEORDER.pdf.exe, 00000000.00000003.207205164.000000000629B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn/bThe	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://discord.gg/uMe7S9Q	URGENTPURCHASEORDER.pdf.exe	false	Avira URL Cloud: safe	unknown
http://www.fontbureau.com/designers?	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false		high
http://www.tiro.comn	URGENTPURCHASEORDER.pdf.exe, 00000000.00000003.208137460.000000000629B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/owhenky/IViewBasic5https://discord.gg/uMe7S9QU495374727563747572616C436F6D7061726	URGENTPURCHASEORDER.pdf.exe	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name4	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244242727.0000000003378000.00000004.00000001.sdmp	false		high
http://www.tiro.com	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.tiro.comlic	URGENTPURCHASEORDER.pdf.exe, 00000000.00000003.207529567.000000000629B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false		high
http://www.goodfont.co.kr	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.coma	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.243967401.0000000001917000.00000004.00000040.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://stackpath.bootstrapcdn.com/bootstrap/4.5.0/css/bootstrap.min.css	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp	false		high
http://www.carterandcone.coml	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.sajatypeworks.com	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.typography.netD	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/cabarga.htmlN	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cn/cThe	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/staff/dennis.htm	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://fontfabrik.com	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp, URGENTPURCHASEORDER.pdf.exe, 00000000.00000003.207529567.000000000629B000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.founder.com.cn/cn	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers/frere-jones.html	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false		high
http://www.founder.com.cn/cny	URGENTPURCHASEORDER.pdf.exe, 00000000.00000003.209079914.000000000628C000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
http://www.jiyu-kobo.co.jp/	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.galapagosdesign.com/DPlease	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.fontbureau.com/designers8	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false		high
http://www.fonts.com	URGENTPURCHASEORDER.pdf.exe, 00000000.00000003.207232444.000000000629B000.00000004.00000001.sdmp	false		high
http://www.sandoll.co.kr	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.urwpp.deDPlease	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://www.zhongyicts.com.cn	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244242727.0000000003378000.00000004.00000001.sdmp, URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.244148891.00000000032C1000.00000004.00000001.sdmp	false		high
http://www.sakkal.com	URGENTPURCHASEORDER.pdf.exe, 00000000.00000002.251443190.0000000007492000.00000004.00000001.sdmp	false	URL Reputation: safe URL Reputation: safe URL Reputation: safe URL Reputation: safe	unknown
https://github.com/owhenky/IViewBasic	URGENTPURCHASEORDER.pdf.exe	false		high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.140.53.138	wealth2021.ddns.net	Sweden		209623	DAVID_CRAIGGG	true

General Information

Joe Sandbox Version:	31.0.0 Emerald
Analysis ID:	384939
Start date:	10.04.2021
Start time:	13:21:11
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 56s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	URGENTPURCHASEORDER.pdf.exe
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	29
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@6/5@10/1
EGA Information:	Failed
HDC Information:	Successful, ratio: 0% (good quality ratio 0%) Quality average: 45.5% Quality standard deviation: 45.5%
HCA Information:	Successful, ratio: 99% Number of executed functions: 102 Number of non-executed functions: 26
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .exe
Warnings:	Show All Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information. Exclude process from analysis (whitelisted): taskhostw.exe, MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, UsoClient.exe Excluded IPs from analysis (whitelisted): 40.88.32.150, 168.61.161.212, 104.43.139.144, 92.122.144.200, 20.82.209.183, 52.255.188.83, 23.10.249.43, 23.10.249.26, 20.54.26.129, 104.83.87.75, 104.83.127.80, 52.147.198.201 Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, e15275.g.akamaiedge.net, arc.msn.com, cdn.onenote.net.edgekey.net, skypedataprdcoleus15.cloudapp.net, wildcard.weather.microsoft.com.edgekey.net, arc.trafficmanager.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, cdn.onenote.net, fs.microsoft.com, ris-prod.trafficmanager.net, tile-service.weather.microsoft.com, skypedataprdcolcus17.cloudapp.net, e1723.g.akamaiedge.net, skypedataprdcolcus16.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus16.cloudapp.net, skypedataprdcoleus17.cloudapp.net, blobcollector.events.data.trafficmanager.net, e1553.dspg.akamaiedge.net Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
13:22:06	API Interceptor	1x Sleep call for process: URGENTPURCHASEORDER.pdf.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link
185.140.53.138	NEW_ORDER.pdf.exe	Get hash	malicious	Browse
	NEW_ORDER.pdf.exe	Get hash	malicious	Browse
	Quotation_Request.pdf.exe	Get hash	malicious	Browse
	URGENT_ORDER.pdf.exe	Get hash	malicious	Browse
	Purchase_Order.pdf.exe	Get hash	malicious	Browse
	1PH37n4Gva.exe	Get hash	malicious	Browse
	35dbds3GQG.exe	Get hash	malicious	Browse
	QXJGE2LOdP.exe	Get hash	malicious	Browse
	O4m3hDFNbh.exe	Get hash	malicious	Browse
	nrv_remittance#U007eorder#U007epayment.exe	Get hash	malicious	Browse
	NEW ORDER REQUEST_EXPORT005JKL DOC.exe	Get hash	malicious	Browse
	WIRE COPY ORDER T104484_PP.exe	Get hash	malicious	Browse
	71AXBkD1wA.exe	Get hash	malicious	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
wealth2021.ddns.net	NEW_ORDER.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	NEW_ORDER.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	Quotation_Request.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	URGENT_ORDER.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	Purchase_Order.pdf.exe	Get hash	malicious	Browse	185.140.53.138

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
DAVID_CRAIGGG	TRACKING UPDATE.exe	Get hash	malicious	Browse	185.140.53.10
	NEW_ORDER.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	samples ordered 024791.exe	Get hash	malicious	Browse	185.140.53.69
	PO.20210704_quick shipment.exe	Get hash	malicious	Browse	185.140.53.69
	ANS_309487487_#049844874.exe	Get hash	malicious	Browse	185.140.53.9
	tmp2.exe	Get hash	malicious	Browse	185.140.53.71
	tmp.exe	Get hash	malicious	Browse	185.140.53.71
	NEW_ORDER.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	Doc_58YJ54-521DERG701-55YH701.exe	Get hash	malicious	Browse	185.140.53.230
	Quotation_Request.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	FRQ_05694 revised quantity.exe	Get hash	malicious	Browse	185.140.53.69
	INVOICE 15112021.xlsx	Get hash	malicious	Browse	185.140.53.130
	URGENT_ORDER.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	IMG-001982-AW00173-SSE73I.exe	Get hash	malicious	Browse	185.140.53.230
	FYI-Orderimg.exe	Get hash	malicious	Browse	185.140.53.67
	Purchase_Order.pdf.exe	Get hash	malicious	Browse	185.140.53.138
	PO-94765809570-Order pdf.exe	Get hash	malicious	Browse	185.140.53.7
	Commercial E-invoice.exe	Get hash	malicious	Browse	185.140.53.137
	Order23032021.xls	Get hash	malicious	Browse	185.140.53.130
	ZcQwvgqtuQ.exe	Get hash	malicious	Browse	91.193.75.245

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\URGENTPURCHASEORDER.pdf.exe.log Download File
Process:	C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	modified
Size (bytes):	1314
Entropy (8bit):	5.350128552078965
Encrypted:	false
SSDEEP:	24:MLU84jE4K5E4Ks2E1qE4qXKDE4KhK3VZ9pKhPKIE4oKFKHKoZAE4Kzr7FE4sAmEw:MgvjHK5HKXE1qHiYHKhQnoPtHoxHhAHR
MD5:	1DC1A2DCC9EFAA84EABF4F6D6066565B
SHA1:	B7FCF805B6DD8DE815EA9BC089BD99F1E617F4E9
SHA-256:	28D63442C17BF19558655C88A635CB3C3FF1BAD1CCD9784090B9749A7E71FCEF
SHA-512:	95DD7E2AB0884A3EFD9E26033B337D1F97DDF9A8E9E9C4C32187DCD40622D8B1AC8CCDBA12A70A6B9075DF5E7F68DF2F8FBA4AB33DB4576BE9806B8E191802B7
Malicious:	true
Reputation:	high, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\4f0a7eefa3cd3e0ba98b5ebddbbc72e6\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\f1d8480152e0da9a60ad49c6d16a3b6d\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\8d67d92724ba494b6c7fd089d6f25b48\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a

C:\Users\user\AppData\Local\Temp\tmpD681.tmp Download File
Process:	C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1641
Entropy (8bit):	5.189890199243021
Encrypted:	false
SSDEEP:	24:2dH4+SEqC/Q7hxlNMFp1/rlMhEMjnGpwjpIgUYODOLD9RJh7h8gKBcYtn:cbh47TlNQ//rydbz9I3YODOLNdq3R
MD5:	12B6114F2BF336F51EE0112E9965540D
SHA1:	F9AABA57DB158925CA36F78C1A0AED4BE36B53B6
SHA-256:	E665058AB5A063BE4A15325C11BD0BCCEE9DDFF7002194F98F79107E06BEA164
SHA-512:	350017E010C9451F94912CEE68146592E259342C0FCBD121515325DA71C95EE3C35781C70703E3A1BB624E42AC3FB0ECD41701C48DF23FA6E3AE65591C13F05A
Malicious:	true
Reputation:	low
Preview:	<?xml version="1.0" encoding="UTF-16"?>..<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">.. <RegistrationInfo>.. <Date>2014-10-25T14:27:44.8929027</Date>.. <Author>computer\user</Author>.. </RegistrationInfo>.. <Triggers>.. <LogonTrigger>.. <Enabled>true</Enabled>.. <UserId>computer\user</UserId>.. </LogonTrigger>.. <RegistrationTrigger>.. <Enabled>false</Enabled>.. </RegistrationTrigger>.. </Triggers>.. <Principals>.. <Principal id="Author">.. <UserId>computer\user</UserId>.. <LogonType>InteractiveToken</LogonType>.. <RunLevel>LeastPrivilege</RunLevel>.. </Principal>.. </Principals>.. <Settings>.. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>.. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>.. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>.. <AllowHardTerminate>false</AllowHardTerminate>.. <StartWhenAvailable>true

C:\Users\user\AppData\Roaming\D06ED635-68F6-4E9A-955C-4899F5F57B9A\run.dat Download File
Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
File Type:	ISO-8859 text, with no line terminators
Category:	dropped
Size (bytes):	8
Entropy (8bit):	3.0
Encrypted:	false
SSDEEP:	3:4Z9t:UP
MD5:	47BCB235EEA97B8D197D5C4357FC443C
SHA1:	F9720AD5BF18734D11FCEDA8BC5DB233529FB217
SHA-256:	AEDC8DB6758A4EC72C18605F7E428E40E119CCC0E2498FD8384CD7F348B6DF17
SHA-512:	D8CADE74EC2EE405ECA8C47CB67B240BEA2D61EC64C6DAFDBD3A0761CD9BA905649B7DA9F9D52FE33C6B1FE36F04C4A714C79A6CE361DE5A827443CBA5BE2E5A
Malicious:	true
Reputation:	low
Preview:	..!X^..H

C:\Users\user\AppData\Roaming\ewIkYvfY.exe Download File
Process:	C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	567296
Entropy (8bit):	7.795819523197301
Encrypted:	false
SSDEEP:	12288:0vXIPuU4iLCfVBfMog/U3Ku75fKo11D7wEb3vnKC+nx/sAUF:04o4CfVBf3DV1YETK1n6
MD5:	5BEE945F3539CDE8AB9B042587AA2055
SHA1:	5387B06C509BE731CE77ECAB9719B68A8DE1ACF5
SHA-256:	D060635884DDA22139A083DA8E1CAFF1C05F41F3B3CA36D901894C839E22243D
SHA-512:	4F2E4C621BD0B14F4E86CD6E400A46B9A35ADFB2036D6320EE7959B274B45E7D96C4AFEE5168F13DB6BFE62FEF1A3C5CA1163404C6B90A1B8188E40DA5618B89
Malicious:	true
Antivirus:	Antivirus: ReversingLabs, Detection: 14%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.................P..Z...L......rx... ........@.. ....................................@................................. x..O........H...........................x............................................... ............... ..H............text...xX... ...Z.................. ..`.rsrc....H.......J...\..............@..@.reloc..............................@..B................Tx......H....... ................v..8............................................0............(....(..........(.....o..........................( ......(!......("......(#......($....N..(....o....(%....&..(&.....s'........s(........s)........s........s+............0...........~....o,....+...0...........~....o-....+...0...........~....o.....+...0...........~....o/....+...0...........~....o0....+...0..<........~.....(1.....,!r...p.....(2...o3...s4............~.....+...0......

C:\Users\user\AppData\Roaming\ewIkYvfY.exe:Zone.Identifier Download File
Process:	C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	false
Reputation:	high, very likely benign file
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General
File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.795819523197301
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.80% Win32 Executable (generic) a (10002005/4) 49.75% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Windows Screen Saver (13104/52) 0.07% Generic Win/DOS Executable (2004/3) 0.01%
File name:	URGENTPURCHASEORDER.pdf.exe
File size:	567296
MD5:	5bee945f3539cde8ab9b042587aa2055
SHA1:	5387b06c509be731ce77ecab9719b68a8de1acf5
SHA256:	d060635884dda22139a083da8e1caff1c05f41f3b3ca36d901894c839e22243d
SHA512:	4f2e4c621bd0b14f4e86cd6e400a46b9a35adfb2036d6320ee7959b274b45e7d96c4afee5168f13db6bfe62fef1a3c5ca1163404c6b90a1b8188e40da5618b89
SSDEEP:	12288:0vXIPuU4iLCfVBfMog/U3Ku75fKo11D7wEb3vnKC+nx/sAUF:04o4CfVBf3DV1YETK1n6
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.../.................P..Z...L......rx... ........@.. ....................................@................................

File Icon


Icon Hash:	60d088f59092cc31

Static PE Info

General
Entrypoint:	0x487872
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE
DLL Characteristics:	NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0xEDF3B22F [Tue Jul 3 16:24:15 2096 UTC]
TLS Callbacks:
CLR (.Net) Version:	v4.0.30319
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x87820	0x4f	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x88000	0x48fc	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x8e000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x87804	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x85878	0x85a00	False	0.898795603368	data	7.84426548095	IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
.rsrc	0x88000	0x48fc	0x4a00	False	0.524229307432	data	5.3654546561	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x8e000	0xc	0x200	False	0.044921875	data	0.101910425663	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type
RT_ICON	0x88130	0x4228	dBase III DBT, version number 0, next free block index 40
RT_GROUP_ICON	0x8c358	0x14	data
RT_VERSION	0x8c36c	0x3a4	data
RT_MANIFEST	0x8c710	0x1ea	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

Imports

DLL	Import
mscoree.dll	_CorExeMain

Version Infos

Description	Data
Translation	0x0000 0x04b0
LegalCopyright	Copyright 2019
Assembly Version	1.0.0.0
InternalName	IVectorViewToIBindableVectorViewAdapter.exe
FileVersion	1.0.0.0
CompanyName
LegalTrademarks
Comments
ProductName	Image Viewer
ProductVersion	1.0.0.0
FileDescription	Image Viewer
OriginalFilename	IVectorViewToIBindableVectorViewAdapter.exe

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 10, 2021 13:22:22.287288904 CEST	49719	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:22.308971882 CEST	20221	49719	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:22.820666075 CEST	49719	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:22.843116999 CEST	20221	49719	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:23.343919992 CEST	49719	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:23.365442038 CEST	20221	49719	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:27.464068890 CEST	49720	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:27.485547066 CEST	20221	49720	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:27.993031025 CEST	49720	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:28.014736891 CEST	20221	49720	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:28.524358034 CEST	49720	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:28.545357943 CEST	20221	49720	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:32.557280064 CEST	49728	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:32.578928947 CEST	20221	49728	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:33.087095976 CEST	49728	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:33.108875990 CEST	20221	49728	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:33.622298002 CEST	49728	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:33.645001888 CEST	20221	49728	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:37.795810938 CEST	49732	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:37.817807913 CEST	20221	49732	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:38.509537935 CEST	49732	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:38.530989885 CEST	20221	49732	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:39.197052002 CEST	49732	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:39.218286991 CEST	20221	49732	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:43.254087925 CEST	49733	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:43.275274992 CEST	20221	49733	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:43.806822062 CEST	49733	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:43.828934908 CEST	20221	49733	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:44.509994984 CEST	49733	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:44.531290054 CEST	20221	49733	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:48.558897018 CEST	49734	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:48.579993010 CEST	20221	49734	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:49.197880030 CEST	49734	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:49.220746994 CEST	20221	49734	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:49.807328939 CEST	49734	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:49.828644991 CEST	20221	49734	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:54.730881929 CEST	49736	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:54.752170086 CEST	20221	49736	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:55.307725906 CEST	49736	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:55.328707933 CEST	20221	49736	185.140.53.138	192.168.2.3
Apr 10, 2021 13:22:56.010915995 CEST	49736	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:22:56.032346010 CEST	20221	49736	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:00.044962883 CEST	49738	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:00.065983057 CEST	20221	49738	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:00.573813915 CEST	49738	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:00.594989061 CEST	20221	49738	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:01.105101109 CEST	49738	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:01.126172066 CEST	20221	49738	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:05.139595985 CEST	49739	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:05.160883904 CEST	20221	49739	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:05.668185949 CEST	49739	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:05.689872980 CEST	20221	49739	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:06.199460983 CEST	49739	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:06.220621109 CEST	20221	49739	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:10.290072918 CEST	49741	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:10.311222076 CEST	20221	49741	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:10.824913979 CEST	49741	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:10.845984936 CEST	20221	49741	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:11.356008053 CEST	49741	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:11.376995087 CEST	20221	49741	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:15.455238104 CEST	49749	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:15.477463007 CEST	20221	49749	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:15.981379032 CEST	49749	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:16.002779961 CEST	20221	49749	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:16.512638092 CEST	49749	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:16.533919096 CEST	20221	49749	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:20.637798071 CEST	49755	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:20.659238100 CEST	20221	49755	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:21.169378996 CEST	49755	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:21.190633059 CEST	20221	49755	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:21.700553894 CEST	49755	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:21.721812010 CEST	20221	49755	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:25.736346006 CEST	49756	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:25.759175062 CEST	20221	49756	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:26.263613939 CEST	49756	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:26.284928083 CEST	20221	49756	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:26.794728994 CEST	49756	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:26.815633059 CEST	20221	49756	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:30.844152927 CEST	49757	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:30.865502119 CEST	20221	49757	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:31.373395920 CEST	49757	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:31.395292044 CEST	20221	49757	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:31.904576063 CEST	49757	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:31.927583933 CEST	20221	49757	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:35.938903093 CEST	49758	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:35.961844921 CEST	20221	49758	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:36.467547894 CEST	49758	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:36.488888979 CEST	20221	49758	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:36.998689890 CEST	49758	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:37.019943953 CEST	20221	49758	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:41.084667921 CEST	49759	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:41.105856895 CEST	20221	49759	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:41.608500004 CEST	49759	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:41.630117893 CEST	20221	49759	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:42.139764071 CEST	49759	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:42.160918951 CEST	20221	49759	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:46.200344086 CEST	49760	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:46.221507072 CEST	20221	49760	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:46.733905077 CEST	49760	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:46.754827976 CEST	20221	49760	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:47.265280962 CEST	49760	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:47.287307978 CEST	20221	49760	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:51.346626997 CEST	49763	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:51.368140936 CEST	20221	49763	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:51.875066996 CEST	49763	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:51.896476984 CEST	20221	49763	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:52.406263113 CEST	49763	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:52.427443027 CEST	20221	49763	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:56.440390110 CEST	49764	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:56.461416960 CEST	20221	49764	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:56.969284058 CEST	49764	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:56.990457058 CEST	20221	49764	185.140.53.138	192.168.2.3
Apr 10, 2021 13:23:57.500451088 CEST	49764	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:23:57.521523952 CEST	20221	49764	185.140.53.138	192.168.2.3
Apr 10, 2021 13:24:01.533876896 CEST	49765	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:24:01.554766893 CEST	20221	49765	185.140.53.138	192.168.2.3
Apr 10, 2021 13:24:02.063498020 CEST	49765	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:24:02.084728003 CEST	20221	49765	185.140.53.138	192.168.2.3
Apr 10, 2021 13:24:02.594742060 CEST	49765	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:24:02.615906954 CEST	20221	49765	185.140.53.138	192.168.2.3
Apr 10, 2021 13:24:06.626708031 CEST	49766	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:24:06.648060083 CEST	20221	49766	185.140.53.138	192.168.2.3
Apr 10, 2021 13:24:07.157427073 CEST	49766	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:24:07.178639889 CEST	20221	49766	185.140.53.138	192.168.2.3
Apr 10, 2021 13:24:07.688715935 CEST	49766	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:24:07.710589886 CEST	20221	49766	185.140.53.138	192.168.2.3
Apr 10, 2021 13:24:11.734441996 CEST	49767	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:24:11.755254030 CEST	20221	49767	185.140.53.138	192.168.2.3
Apr 10, 2021 13:24:12.267311096 CEST	49767	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:24:12.288455009 CEST	20221	49767	185.140.53.138	192.168.2.3
Apr 10, 2021 13:24:12.798585892 CEST	49767	20221	192.168.2.3	185.140.53.138
Apr 10, 2021 13:24:12.819904089 CEST	20221	49767	185.140.53.138	192.168.2.3

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 10, 2021 13:21:53.500550032 CEST	55984	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:21:53.513597965 CEST	53	55984	8.8.8.8	192.168.2.3
Apr 10, 2021 13:21:54.275424004 CEST	64185	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:21:54.288847923 CEST	53	64185	8.8.8.8	192.168.2.3
Apr 10, 2021 13:21:54.944519997 CEST	65110	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:21:54.957844019 CEST	53	65110	8.8.8.8	192.168.2.3
Apr 10, 2021 13:21:56.026130915 CEST	58361	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:21:56.039885998 CEST	53	58361	8.8.8.8	192.168.2.3
Apr 10, 2021 13:21:56.771668911 CEST	63492	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:21:56.787292957 CEST	53	63492	8.8.8.8	192.168.2.3
Apr 10, 2021 13:21:57.509826899 CEST	60831	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:21:57.522052050 CEST	53	60831	8.8.8.8	192.168.2.3
Apr 10, 2021 13:21:58.361676931 CEST	60100	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:21:58.375561953 CEST	53	60100	8.8.8.8	192.168.2.3
Apr 10, 2021 13:21:59.223104000 CEST	53195	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:21:59.236020088 CEST	53	53195	8.8.8.8	192.168.2.3
Apr 10, 2021 13:22:00.034452915 CEST	50141	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:22:00.047821045 CEST	53	50141	8.8.8.8	192.168.2.3
Apr 10, 2021 13:22:00.735707045 CEST	53023	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:22:00.748488903 CEST	53	53023	8.8.8.8	192.168.2.3
Apr 10, 2021 13:22:01.573005915 CEST	49563	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:22:01.586170912 CEST	53	49563	8.8.8.8	192.168.2.3
Apr 10, 2021 13:22:30.413235903 CEST	51352	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:22:30.440238953 CEST	53	51352	8.8.8.8	192.168.2.3
Apr 10, 2021 13:22:31.558715105 CEST	59349	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:22:31.571634054 CEST	53	59349	8.8.8.8	192.168.2.3
Apr 10, 2021 13:22:32.466567039 CEST	57084	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:22:32.481575966 CEST	53	57084	8.8.8.8	192.168.2.3
Apr 10, 2021 13:22:34.474006891 CEST	58823	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:22:34.486565113 CEST	53	58823	8.8.8.8	192.168.2.3
Apr 10, 2021 13:22:36.277395964 CEST	57568	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:22:36.290640116 CEST	53	57568	8.8.8.8	192.168.2.3
Apr 10, 2021 13:22:37.038639069 CEST	50540	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:22:37.050949097 CEST	53	50540	8.8.8.8	192.168.2.3
Apr 10, 2021 13:22:37.773684025 CEST	54366	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:22:37.793812037 CEST	53	54366	8.8.8.8	192.168.2.3
Apr 10, 2021 13:22:43.232366085 CEST	53034	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:22:43.252691984 CEST	53	53034	8.8.8.8	192.168.2.3
Apr 10, 2021 13:22:48.545027971 CEST	57762	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:22:48.557930946 CEST	53	57762	8.8.8.8	192.168.2.3
Apr 10, 2021 13:22:48.800945044 CEST	55435	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:22:48.820245028 CEST	53	55435	8.8.8.8	192.168.2.3
Apr 10, 2021 13:22:59.667120934 CEST	50713	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:22:59.693808079 CEST	53	50713	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:08.325223923 CEST	56132	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:08.337743044 CEST	53	56132	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:10.266738892 CEST	58987	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:10.286132097 CEST	53	58987	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:10.366518974 CEST	56579	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:10.376585007 CEST	60633	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:10.384871006 CEST	53	56579	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:10.395803928 CEST	53	60633	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:10.719083071 CEST	61292	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:10.731772900 CEST	53	61292	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:11.349730968 CEST	63619	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:11.362250090 CEST	53	63619	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:12.461837053 CEST	64938	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:12.474558115 CEST	53	64938	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:15.402087927 CEST	61946	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:15.415385962 CEST	53	61946	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:16.398881912 CEST	64910	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:16.417119026 CEST	53	64910	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:20.551948071 CEST	52123	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:20.564553022 CEST	53	52123	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:41.069704056 CEST	56130	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:41.082732916 CEST	53	56130	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:46.179269075 CEST	56338	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:46.198777914 CEST	53	56338	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:48.412775040 CEST	59420	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:48.424988985 CEST	53	59420	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:50.471694946 CEST	58784	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:50.504117012 CEST	53	58784	8.8.8.8	192.168.2.3
Apr 10, 2021 13:23:51.332163095 CEST	63978	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:23:51.345220089 CEST	53	63978	8.8.8.8	192.168.2.3
Apr 10, 2021 13:24:11.721404076 CEST	62938	53	192.168.2.3	8.8.8.8
Apr 10, 2021 13:24:11.733901978 CEST	53	62938	8.8.8.8	192.168.2.3

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 10, 2021 13:22:37.773684025 CEST	192.168.2.3	8.8.8.8	0xcc44	Standard query (0)	wealth2021.ddns.net	A (IP address)	IN (0x0001)
Apr 10, 2021 13:22:43.232366085 CEST	192.168.2.3	8.8.8.8	0x9f91	Standard query (0)	wealth2021.ddns.net	A (IP address)	IN (0x0001)
Apr 10, 2021 13:22:48.545027971 CEST	192.168.2.3	8.8.8.8	0x686c	Standard query (0)	wealth2021.ddns.net	A (IP address)	IN (0x0001)
Apr 10, 2021 13:23:10.266738892 CEST	192.168.2.3	8.8.8.8	0xd838	Standard query (0)	wealth2021.ddns.net	A (IP address)	IN (0x0001)
Apr 10, 2021 13:23:15.402087927 CEST	192.168.2.3	8.8.8.8	0xee14	Standard query (0)	wealth2021.ddns.net	A (IP address)	IN (0x0001)
Apr 10, 2021 13:23:20.551948071 CEST	192.168.2.3	8.8.8.8	0x1cc4	Standard query (0)	wealth2021.ddns.net	A (IP address)	IN (0x0001)
Apr 10, 2021 13:23:41.069704056 CEST	192.168.2.3	8.8.8.8	0xc65a	Standard query (0)	wealth2021.ddns.net	A (IP address)	IN (0x0001)
Apr 10, 2021 13:23:46.179269075 CEST	192.168.2.3	8.8.8.8	0xd121	Standard query (0)	wealth2021.ddns.net	A (IP address)	IN (0x0001)
Apr 10, 2021 13:23:51.332163095 CEST	192.168.2.3	8.8.8.8	0xa7be	Standard query (0)	wealth2021.ddns.net	A (IP address)	IN (0x0001)
Apr 10, 2021 13:24:11.721404076 CEST	192.168.2.3	8.8.8.8	0xac05	Standard query (0)	wealth2021.ddns.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Apr 10, 2021 13:22:37.793812037 CEST	8.8.8.8	192.168.2.3	0xcc44	No error (0)	wealth2021.ddns.net	185.140.53.138	A (IP address)	IN (0x0001)
Apr 10, 2021 13:22:43.252691984 CEST	8.8.8.8	192.168.2.3	0x9f91	No error (0)	wealth2021.ddns.net	185.140.53.138	A (IP address)	IN (0x0001)
Apr 10, 2021 13:22:48.557930946 CEST	8.8.8.8	192.168.2.3	0x686c	No error (0)	wealth2021.ddns.net	185.140.53.138	A (IP address)	IN (0x0001)
Apr 10, 2021 13:23:10.286132097 CEST	8.8.8.8	192.168.2.3	0xd838	No error (0)	wealth2021.ddns.net	185.140.53.138	A (IP address)	IN (0x0001)
Apr 10, 2021 13:23:15.415385962 CEST	8.8.8.8	192.168.2.3	0xee14	No error (0)	wealth2021.ddns.net	185.140.53.138	A (IP address)	IN (0x0001)
Apr 10, 2021 13:23:20.564553022 CEST	8.8.8.8	192.168.2.3	0x1cc4	No error (0)	wealth2021.ddns.net	185.140.53.138	A (IP address)	IN (0x0001)
Apr 10, 2021 13:23:41.082732916 CEST	8.8.8.8	192.168.2.3	0xc65a	No error (0)	wealth2021.ddns.net	185.140.53.138	A (IP address)	IN (0x0001)
Apr 10, 2021 13:23:46.198777914 CEST	8.8.8.8	192.168.2.3	0xd121	No error (0)	wealth2021.ddns.net	185.140.53.138	A (IP address)	IN (0x0001)
Apr 10, 2021 13:23:51.345220089 CEST	8.8.8.8	192.168.2.3	0xa7be	No error (0)	wealth2021.ddns.net	185.140.53.138	A (IP address)	IN (0x0001)
Apr 10, 2021 13:24:11.733901978 CEST	8.8.8.8	192.168.2.3	0xac05	No error (0)	wealth2021.ddns.net	185.140.53.138	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: URGENTPURCHASEORDER.pdf.exe PID: 5596 Parent PID: 5716

General

Start time:	13:22:01
Start date:	10/04/2021
Path:	C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\Desktop\URGENTPURCHASEORDER.pdf.exe'
Imagebase:	0xeb0000
File size:	567296 bytes
MD5 hash:	5BEE945F3539CDE8AB9B042587AA2055
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_AntiVM_3, Description: Yara detected AntiVM_3, Source: 00000000.00000002.244200976.000000000332D000.00000004.00000001.sdmp, Author: Joe Security Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000000.00000002.244541522.00000000042CC000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000000.00000002.244541522.00000000042CC000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000000.00000002.244541522.00000000042CC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net>
Reputation:	low

Chronological Activities

Analysis Process: schtasks.exe PID: 2792 Parent PID: 5596

General

Start time:	13:22:16
Start date:	10/04/2021
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\schtasks.exe' /Create /TN 'Updates\ewIkYvfY' /XML 'C:\Users\user\AppData\Local\Temp\tmpD681.tmp'
Imagebase:	0x3e0000
File size:	185856 bytes
MD5 hash:	15FF7D8324231381BAD48A052F85DF04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: conhost.exe PID: 1724 Parent PID: 2792

General

Start time:	13:22:18
Start date:	10/04/2021
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6b2800000
File size:	625664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: RegSvcs.exe PID: 6036 Parent PID: 5596

General

Start time:	13:22:18
Start date:	10/04/2021
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
Imagebase:	0xa00000
File size:	45152 bytes
MD5 hash:	2867A3817C9245F7CF518524DFD18F28
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.481258599.0000000005320000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.481258599.0000000005320000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.472813842.0000000000402000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.472813842.0000000000402000.00000040.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.472813842.0000000000402000.00000040.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.476797525.0000000002E71000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.480543359.0000000003EAC000.00000004.00000001.sdmp, Author: Joe Security Rule: NanoCore, Description: unknown, Source: 00000004.00000002.480543359.0000000003EAC000.00000004.00000001.sdmp, Author: Kevin Breen <kevin@techanarchy.net> Rule: Nanocore_RAT_Gen_2, Description: Detetcs the Nanocore RAT, Source: 00000004.00000002.481272072.0000000005330000.00000004.00000001.sdmp, Author: Florian Roth Rule: Nanocore_RAT_Feb18_1, Description: Detects Nanocore RAT, Source: 00000004.00000002.481272072.0000000005330000.00000004.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_Nanocore, Description: Yara detected Nanocore RAT, Source: 00000004.00000002.481272072.0000000005330000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Analysis Process: URGENTPURCHASEORDER.pdf.exe PID: 5596 Parent PID: 5716 URGENTPURCHASEORDER.pdf.exeCOMMON

Executed Functions

Function 03226F58, Relevance: 3.9, Strings: 3, Instructions: 185COMMON

Download Yara Rule

Strings

I6-, xrefs: 03227155
I6-, xrefs: 03226FEC
I6-, xrefs: 032282A3

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID: I6-$I6-$I6-
API String ID: 0-2670991597
Opcode ID: 9baa914492328ace2527078446ee59460e13c7394b9ad4a5afd940c8e739fd2b
Instruction ID: e0180ffdd0a77f5940338219ad4f36a796e1dbf2ef5be6c3d10ad3d7e5f4969a
Opcode Fuzzy Hash: 9baa914492328ace2527078446ee59460e13c7394b9ad4a5afd940c8e739fd2b
Instruction Fuzzy Hash: 87714871E14629DBDB24CF6ACC44B99BBB6BF88300F14C5AAD50DA6214EB709A818F54

Uniqueness

Uniqueness Score: -1.00%

Function 03226F48, Relevance: 3.9, Strings: 3, Instructions: 181COMMON

Download Yara Rule

Strings

I6-, xrefs: 03227155
I6-, xrefs: 03226FEC
I6-, xrefs: 032282A3

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID: I6-$I6-$I6-
API String ID: 0-2670991597
Opcode ID: 034c6043a7c4e9a12bdf8a8bec4f8af2cfbd13478e1e6d8f8c4892b212b59812
Instruction ID: 549bbe7e798d144988f4b841fa1474686f3c924fc7c1733190490357772693ef
Opcode Fuzzy Hash: 034c6043a7c4e9a12bdf8a8bec4f8af2cfbd13478e1e6d8f8c4892b212b59812
Instruction Fuzzy Hash: 0D716A71E14669CBDB24CF66CC40BDDBBB6BF89300F14C5EAC509A7214EB705A818F10

Uniqueness

Uniqueness Score: -1.00%

Function 03227183, Relevance: 3.9, Strings: 3, Instructions: 150COMMON

Download Yara Rule

Strings

I6-, xrefs: 03227155
I6-, xrefs: 03226FEC
I6-, xrefs: 032282A3

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID: I6-$I6-$I6-
API String ID: 0-2670991597
Opcode ID: 9715b3fc1fe99deb15999fb35704180957fd86f78f7eac86e0617789d8ce8c19
Instruction ID: 12000698dc3cea789a003f245790a773f6e728a983c4981fbfe1572eef0f5170
Opcode Fuzzy Hash: 9715b3fc1fe99deb15999fb35704180957fd86f78f7eac86e0617789d8ce8c19
Instruction Fuzzy Hash: 77615A75E1466ADBDB24CF65CC84BDDBBB6BB88300F1086E6D509A7204E7709EC18F54

Uniqueness

Uniqueness Score: -1.00%

Function 032271EA, Relevance: 3.9, Strings: 3, Instructions: 142COMMON

Download Yara Rule

Strings

I6-, xrefs: 03227155
I6-, xrefs: 03226FEC
I6-, xrefs: 032282A3

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID: I6-$I6-$I6-
API String ID: 0-2670991597
Opcode ID: de85fd006101d72352adbb99eae4f6826175e532767e4aa6d4db62208b478964
Instruction ID: 0fea828ed8a776942882a7c2a22e138248054cf1aa90895e4444a854f0178302
Opcode Fuzzy Hash: de85fd006101d72352adbb99eae4f6826175e532767e4aa6d4db62208b478964
Instruction Fuzzy Hash: 4A515A75E1462ADBDB24CF65CC80BDDBBB6BB88300F1486E6D109A7244E770AAC18F54

Uniqueness

Uniqueness Score: -1.00%

Function 032271DB, Relevance: 3.9, Strings: 3, Instructions: 136COMMON

Download Yara Rule

Strings

I6-, xrefs: 03227155
I6-, xrefs: 03226FEC
I6-, xrefs: 032282A3

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID: I6-$I6-$I6-
API String ID: 0-2670991597
Opcode ID: 41814d3c69861ffcf02e483977c37ef621bfd51837f1ec5b5856f665d93f17d1
Instruction ID: 34ea1c86b63837175cd5f32e587442a957353cb2d9d4006aa65575f7553be7d1
Opcode Fuzzy Hash: 41814d3c69861ffcf02e483977c37ef621bfd51837f1ec5b5856f665d93f17d1
Instruction Fuzzy Hash: 19516B75E1462ADBDB24CF55CC80BDDBBB6FB88300F1486EAD109A7204E770AAC18F54

Uniqueness

Uniqueness Score: -1.00%

Function 07876AE0, Relevance: 2.7, Strings: 2, Instructions: 201COMMON

Download Yara Rule

Strings

jT1, xrefs: 07876BE8
jT1, xrefs: 07876BEF

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID: jT1$jT1
API String ID: 0-3754042633
Opcode ID: d7e44f641dd1d83a0daf5325e80791668e6b89a90e78e5f903edf38552e51620
Instruction ID: 2e360860e1fd069a35b7e0fcd44cc7d0cbf8e2dcec54906048dd28d63d6b3217
Opcode Fuzzy Hash: d7e44f641dd1d83a0daf5325e80791668e6b89a90e78e5f903edf38552e51620
Instruction Fuzzy Hash: A781D5B4E156098FDB08CFEAC9846DEBBB2FF89300F10842AD516AB254D7359942CF64

Uniqueness

Uniqueness Score: -1.00%

Function 07875ACC, Relevance: 1.6, APIs: 1, Instructions: 58nativeCOMMON

Download Yara Rule

APIs

NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 0787FFA7

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID: InformationProcessQuery
String ID:
API String ID: 1778838933-0
Opcode ID: a5d948ed857d8f534305ff48e326919c8ca8fca4f0128195236957797b189c6b
Instruction ID: 2b90490df6a9684cd5c2322fb8d8443108592724227916d63b76c85cab345b86
Opcode Fuzzy Hash: a5d948ed857d8f534305ff48e326919c8ca8fca4f0128195236957797b189c6b
Instruction Fuzzy Hash: 4621EFB5901259DFCB10CF9AD884ADEBBF4FB49324F10842AE919A7200D775A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0787E5A0, Relevance: 1.4, Strings: 1, Instructions: 171COMMON

Download Yara Rule

Strings

N+], xrefs: 0787E72E

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID: N+]
API String ID: 0-3307829534
Opcode ID: 41a4203829cf827c069d70c7ae65aa5a0b264c4369ce0176cde9b5a584cab30a
Instruction ID: 53586fd37f51e6110468659ca332d26c2dee86925e50643f793d51905928d5a3
Opcode Fuzzy Hash: 41a4203829cf827c069d70c7ae65aa5a0b264c4369ce0176cde9b5a584cab30a
Instruction Fuzzy Hash: 288114B4D1120CEFCB04CFE9D5886ADBBB2FB49305F24856AE416AB354EB349942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03225340, Relevance: 1.4, Strings: 1, Instructions: 141COMMON

Download Yara Rule

Strings

*], xrefs: 03225480

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID: *]
API String ID: 0-3438839350
Opcode ID: 5b177375faff71cf32e2dbb46a94bb1ada9858a54f0221f6db22ed21487f9cda
Instruction ID: 49462f6cacab52d86590fa943e71c99089dbd7d3de6cdebc2954c46b8cce66a7
Opcode Fuzzy Hash: 5b177375faff71cf32e2dbb46a94bb1ada9858a54f0221f6db22ed21487f9cda
Instruction Fuzzy Hash: 4F515E31E25219DFCB08CFA9D9445DDFBF2FB8E211F24E426D405B7258DB7898418B24

Uniqueness

Uniqueness Score: -1.00%

Function 03225330, Relevance: 1.4, Strings: 1, Instructions: 139COMMON

Download Yara Rule

Strings

*], xrefs: 03225480

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID: *]
API String ID: 0-3438839350
Opcode ID: f1969b5e8184500042f1a695c40e1c12d435c079bfbe5c6cf7be62b3c0065aa7
Instruction ID: beda53b6b3dfdb500c0e45b7f1b230225c5207791e24ff7fb7d01cca899aeb13
Opcode Fuzzy Hash: f1969b5e8184500042f1a695c40e1c12d435c079bfbe5c6cf7be62b3c0065aa7
Instruction Fuzzy Hash: 23515A71E252199FCB08CFA9D9445DDFBB2FF8E211F24E426D405F7258DB7898418B28

Uniqueness

Uniqueness Score: -1.00%

Function 078704E0, Relevance: .9, Instructions: 877COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3456ca9cc4ad75d46f1c2462410d3c567732206a373b95b06d778fb01bfa1e1e
Instruction ID: ffa5b034f8d2d07d7a38da38a99497a0dac7ad3a1474cbbe44e13441edbcc470
Opcode Fuzzy Hash: 3456ca9cc4ad75d46f1c2462410d3c567732206a373b95b06d778fb01bfa1e1e
Instruction Fuzzy Hash: 13828FB5A0020ADFCB15CF68C484AAEBBF6FF99314F158569E406EB3A1D730E941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 0322A7A8, Relevance: .4, Instructions: 350COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 300291fd17b3e7c3a44cd91cd6c65edda8dd77ee0922e59e18991201cc07267c
Instruction ID: 9d418cfe8a8cb74ca2dc178e1ec530fb3c5588bf7b806ae8d0d698ac0ffd9f46
Opcode Fuzzy Hash: 300291fd17b3e7c3a44cd91cd6c65edda8dd77ee0922e59e18991201cc07267c
Instruction Fuzzy Hash: EBD1DC30B102169FDB19EB7AC850BAEBBF6AF88704F14846DD145CB690DF35D941CB51

Uniqueness

Uniqueness Score: -1.00%

Function 03225A48, Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebaf61e90edcce162448f17236bf76ac1c48af8b0bde3df7a26caf755aeeca06
Instruction ID: 25f2ca6b642678ada8ea38fef47cc4d37dbfa780ee55f68ac9cc9ad488a4ceb2
Opcode Fuzzy Hash: ebaf61e90edcce162448f17236bf76ac1c48af8b0bde3df7a26caf755aeeca06
Instruction Fuzzy Hash: 5BD13C74E252199FDB14CFA4E9857DDFBB2FF89300F209026E405BB358DB74A9418B24

Uniqueness

Uniqueness Score: -1.00%

Function 03225A58, Relevance: .3, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f610c6ea8871d6703edf434f49a35f389bdc37fd55863ab90b545882bbcf2e66
Instruction ID: 459f501cde806b38d8ae439dc5f137a114e4cad959548767907c94bc87681970
Opcode Fuzzy Hash: f610c6ea8871d6703edf434f49a35f389bdc37fd55863ab90b545882bbcf2e66
Instruction Fuzzy Hash: 33D12D34E25219AFDB14CFA4E985BDDFBB2FB89310F209126E405BB354DB74A9418B24

Uniqueness

Uniqueness Score: -1.00%

Function 07874098, Relevance: .2, Instructions: 241COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63e3aa8b9826d3788422cb939c30e507d82cca64e1da79bc993f435d68d6ec78
Instruction ID: 2b73f86f7ecbcf7eddda66aa8edaa34fb5c349acf9e1bba81f6d8796d1a76614
Opcode Fuzzy Hash: 63e3aa8b9826d3788422cb939c30e507d82cca64e1da79bc993f435d68d6ec78
Instruction Fuzzy Hash: 8FA118B4E002998BCB04DFE9C88469EBBF6BF59358F24C525D819EB245EB30D941CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03220006, Relevance: .2, Instructions: 236COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 288c25e47ac6278840c674ce2db48d62989a21bd39e6c32b077608b50ecd8afd
Instruction ID: ffbcde76c90e6b09bb99dea2372906a309840ccccbacff64975dad2707dd1b10
Opcode Fuzzy Hash: 288c25e47ac6278840c674ce2db48d62989a21bd39e6c32b077608b50ecd8afd
Instruction Fuzzy Hash: AAB16470D21228DFDB14CFA4D9986DDBFB2FB49300F1484AAD40AAB354CB785981CF65

Uniqueness

Uniqueness Score: -1.00%

Function 018FB264, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0baafdc092b71113e7161428203f40745c1674be447e715e8e37048a1d71a8c7
Instruction ID: b6963fa92e826e898f6e4c5c1caeed676a6d08fd714949dc063bcfc3e068b08e
Opcode Fuzzy Hash: 0baafdc092b71113e7161428203f40745c1674be447e715e8e37048a1d71a8c7
Instruction Fuzzy Hash: D091B235E003198FCB04DFE4D8549DDBBBAFF99304F258619E515AB3A4EB30A945CB90

Uniqueness

Uniqueness Score: -1.00%

Function 03220040, Relevance: .2, Instructions: 233COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7c5ae36b179f1200fc7e40d020d1fcf069d5eff5b3a39204cac5ee5775809c71
Instruction ID: 157710528218529733ae0b3908899565c58c39965fa34f64227ff450b4739586
Opcode Fuzzy Hash: 7c5ae36b179f1200fc7e40d020d1fcf069d5eff5b3a39204cac5ee5775809c71
Instruction Fuzzy Hash: 27B14670D21228DFDB14CFA9D9946DDBFB2FB49300F20846AE40AAB354DB745981CF65

Uniqueness

Uniqueness Score: -1.00%

Function 032288CC, Relevance: .2, Instructions: 231COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e0ffff884f6be9117a9ea6845a789fde01ede7b13574858f267bfebb2c3000da
Instruction ID: 5f48750410a55eef6a165a95fd39b5afc30a26a55f475fb5585b876a617a09ba
Opcode Fuzzy Hash: e0ffff884f6be9117a9ea6845a789fde01ede7b13574858f267bfebb2c3000da
Instruction Fuzzy Hash: B8915AB4D29219EFDB04CFA9D9805ADFFB2FB89310F14A01AD405AB214D7749882CF15

Uniqueness

Uniqueness Score: -1.00%

Function 018FDF50, Relevance: .2, Instructions: 221COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 102a264746fd9f6df7e9c0a302857e7899b9b93d11de8623c927c9d8a7cf724e
Instruction ID: 1628e2efceeba0e4b80384c90bd6ac41540e4e79de27741fc9ec631c213c1f82
Opcode Fuzzy Hash: 102a264746fd9f6df7e9c0a302857e7899b9b93d11de8623c927c9d8a7cf724e
Instruction Fuzzy Hash: 6991B135E003098FCB05DBF4D8548DDBBB6FF8A300F258219E615AB2A5EB30A945DB51

Uniqueness

Uniqueness Score: -1.00%

Function 07873CB0, Relevance: .2, Instructions: 220COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c248036e48163b49b004176767112c611a89f0be7fb476bc3c8de399fde0d110
Instruction ID: 71d50d468310c26d16f1e316abf7e3bc66b17248c42443db0f8ab0107dff66aa
Opcode Fuzzy Hash: c248036e48163b49b004176767112c611a89f0be7fb476bc3c8de399fde0d110
Instruction Fuzzy Hash: 269114B1D002598BDF08DFA9C844BDEBBB2BF99308F14C469D50AEB644EB309945DF52

Uniqueness

Uniqueness Score: -1.00%

Function 018FB258, Relevance: .2, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea76a97ece34e4087987de27f9018c74bfd1b6bd08b59c0b345525dfd64e169f
Instruction ID: e040241a07ddcd9bfd36a55e3587791e7c5d376cdb57a717c8fa919b22b43e1a
Opcode Fuzzy Hash: ea76a97ece34e4087987de27f9018c74bfd1b6bd08b59c0b345525dfd64e169f
Instruction Fuzzy Hash: D181B335E007199FCB04DFE4D8548DDBBBAFF89304F258619E515AB3A4EB30A984CB90

Uniqueness

Uniqueness Score: -1.00%

Function 07877488, Relevance: .2, Instructions: 194COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4277925d3b2911d5fce7f8d9d386c1f3cacadbbacf29d4f14f7c597b616a5ad3
Instruction ID: 225c6c696e818a0b590587faf21234116cf76549ebd7562ed883e5ce67203f6a
Opcode Fuzzy Hash: 4277925d3b2911d5fce7f8d9d386c1f3cacadbbacf29d4f14f7c597b616a5ad3
Instruction Fuzzy Hash: AC8149B4E1420A8FCB44CFA9C4959AEFBB2FB99304F14C46AD426E7354D7349A42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07874088, Relevance: .2, Instructions: 176COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eca0c288cf1fb7f038f7d827faef5f297ef21691bb5b9fcee2fc27b2b8055efb
Instruction ID: 83bcba9d3a117af9366974bd7a37124c559307d4c1e2ff4677cb4de09af2ffee
Opcode Fuzzy Hash: eca0c288cf1fb7f038f7d827faef5f297ef21691bb5b9fcee2fc27b2b8055efb
Instruction Fuzzy Hash: 176116B4E002898BDB04DFE9C84569EBBF6AF99348F24C125D819EB355EB70C841CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03226070, Relevance: .2, Instructions: 174COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 397bb2b427a42bb8c42a350e4688c3f58c613337fbfcd0b996ef94c6ce77e235
Instruction ID: 1b51d18ab76187037645bc1550fda23d75f108a81230cc6eeb5087deb35161d2
Opcode Fuzzy Hash: 397bb2b427a42bb8c42a350e4688c3f58c613337fbfcd0b996ef94c6ce77e235
Instruction Fuzzy Hash: 9671E674E10219EFCB04DFE9D8545AEBBB2FF89300F10852AD816AB758DB746942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03226062, Relevance: .2, Instructions: 173COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1d14dff378f0bfa39756a639df3b8ecca6fa8221ce18a71fef4f55eb5efcf341
Instruction ID: d6ac3ae4259ae75749e1027d7f06c02941d99ae679e64c0d6de6e0e8b1fa9f90
Opcode Fuzzy Hash: 1d14dff378f0bfa39756a639df3b8ecca6fa8221ce18a71fef4f55eb5efcf341
Instruction Fuzzy Hash: 997106B4E10219DFCB04DFE9D9445AEBBB2FF88301F10852AD816AB358DB74A942CF51

Uniqueness

Uniqueness Score: -1.00%

Function 07877270, Relevance: .2, Instructions: 150COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b13ce0f7b0a397e75946243eb1a9aee6cd2c5e3a8bace633d69b5d0294c98a77
Instruction ID: b27094bd066ab6b110ba39e2a59a6e995b61267d8d4bba73c53420af1666ba68
Opcode Fuzzy Hash: b13ce0f7b0a397e75946243eb1a9aee6cd2c5e3a8bace633d69b5d0294c98a77
Instruction Fuzzy Hash: 7D5150B0E142098FCB08CFAAC5545AEFBF2EF99314F14D06AD41AE7254E7748A42CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07877280, Relevance: .1, Instructions: 143COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bcc163092ef2690c8922aa5f912636551b5c766714ed4c394ff849f81a7d87ac
Instruction ID: 71ea6d8cff9b330b9dda6a40578da9582426bec00d78419a14276f972207e825
Opcode Fuzzy Hash: bcc163092ef2690c8922aa5f912636551b5c766714ed4c394ff849f81a7d87ac
Instruction Fuzzy Hash: 3D512CB0E142098FCB48CFAAC5545AEFBF2FB99304F14D46AD41AE7254E7748A41CF94

Uniqueness

Uniqueness Score: -1.00%

Function 03223508, Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 8eeaefc672595609b3e91514cf3fbf8a6446e52cff18f92327fd34dadae58670
Instruction ID: 46a75beab3551ae68d2989aca781beaec07b8cfacacea8ff5c7cc5e123c9f5dc
Opcode Fuzzy Hash: 8eeaefc672595609b3e91514cf3fbf8a6446e52cff18f92327fd34dadae58670
Instruction Fuzzy Hash: 1F518AB5E15259AFCB05CFA8D8846DEBFF1EF4A310F0480A6D505AB310DB349A92CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03228A08, Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 047b8b1e91a60b602883a9afc33c2b9b9baa219142e23aad0bb643606a18d528
Instruction ID: 2856473112f54fd26c49273d91832da8ce794a548c3965622b238a06bab7227e
Opcode Fuzzy Hash: 047b8b1e91a60b602883a9afc33c2b9b9baa219142e23aad0bb643606a18d528
Instruction Fuzzy Hash: 47413C74D25219EFDB14CFA5D98059DFFB2FB89210F20A52AD405BB214D774D982CF14

Uniqueness

Uniqueness Score: -1.00%

Function 07875ED8, Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6fa852bb14a7dae26e5768aeb210639e02b0c5e32dcd1629c97918b5bfdc9d
Instruction ID: 2452d32abb1e6c723b07841326b7a98184bbf0463a1e0681fe43edb40d488576
Opcode Fuzzy Hash: bc6fa852bb14a7dae26e5768aeb210639e02b0c5e32dcd1629c97918b5bfdc9d
Instruction Fuzzy Hash: 4E31ECB1E006188BEB58CF6BDC54B9EBBF7AFC8204F04C1AAD509A7254EB305945CF51

Uniqueness

Uniqueness Score: -1.00%

Function 0322A278, Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 31e1958eeff7f826d27b2647818ddc571834dcd23b70cf20dd07ea19ef3df382
Instruction ID: 8f19e00f6d92e28306e04b389eef89a86cdca1281b0787e7a467fee969b34973
Opcode Fuzzy Hash: 31e1958eeff7f826d27b2647818ddc571834dcd23b70cf20dd07ea19ef3df382
Instruction Fuzzy Hash: 01215C70C25268EFDB14CFA5D848BEDBFF5BB0A300F14515AE806B3691CBB84984CB55

Uniqueness

Uniqueness Score: -1.00%

Function 0322A269, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0f6ad41f07812acf9f5292a148895dbd27a57eddbc07d0c9e0251915efd03e3
Instruction ID: 4aba1fa7d25fec6c15be7ca70e2008fac78f8dd9b4f61f937dc226f2349ed312
Opcode Fuzzy Hash: d0f6ad41f07812acf9f5292a148895dbd27a57eddbc07d0c9e0251915efd03e3
Instruction Fuzzy Hash: 4F217F70C29278EFDB10CFA4D848BEDBFB4BB0A301F54515AE806B7691CBB84884CB55

Uniqueness

Uniqueness Score: -1.00%

Function 07877CA0, Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f09f8d3dac70a540c0d05eaaba6558c7ce1002dbe2cc81fe3b1e1273a51f8666
Instruction ID: 4d6899a8d94dcb32bdb6c40c30ea00f1e29dae204d201e768a8abcae10f7eb05
Opcode Fuzzy Hash: f09f8d3dac70a540c0d05eaaba6558c7ce1002dbe2cc81fe3b1e1273a51f8666
Instruction Fuzzy Hash: 2121E4B1E006188BDB18CFABD8442DEFBF7AFC9310F14C16AD809A6258DB745A56CE50

Uniqueness

Uniqueness Score: -1.00%

Function 018FDB21, Relevance: 1.8, APIs: 1, Instructions: 253COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20360d08032d3caa93b2ef72efe5a9986b2623d956b1dad022ef25a0033dfc8b
Instruction ID: f655e40ee775dbe5c40a599635c732cf972819719a81c8bea22394155b2d15f8
Opcode Fuzzy Hash: 20360d08032d3caa93b2ef72efe5a9986b2623d956b1dad022ef25a0033dfc8b
Instruction Fuzzy Hash: D2919F71C083889FCF16CFA9C8549CDBFB1AF4A310F19819AE609EB262D3349949DF51

Uniqueness

Uniqueness Score: -1.00%

Function 03223E5F, Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03224096

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: cd2b1fe102b9ead223506ade8855b16c1af16a9048540715ce840836ac103f6b
Instruction ID: 3a064332d1a36fb7da97ed328331f134036c453d934b8f073c58288a56342fcd
Opcode Fuzzy Hash: cd2b1fe102b9ead223506ade8855b16c1af16a9048540715ce840836ac103f6b
Instruction Fuzzy Hash: 1C916B71D10229EFDB20DFA9DC81BDEBBB2BF48314F148569E818A7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 03223E60, Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 03224096

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 66b50cdad83858d294b58e9d51b4893ab1b0c56135c57d40c8a98f929250beae
Instruction ID: 1b70fe7ee01316e511304e1c9dde6316451e4489aea0ad0882d3b881e8570329
Opcode Fuzzy Hash: 66b50cdad83858d294b58e9d51b4893ab1b0c56135c57d40c8a98f929250beae
Instruction Fuzzy Hash: 00916B71D10229EFDB20DFA9DC81BDEBBB2BF48314F148569E818A7240DB749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 018FBBB8, Relevance: 1.7, APIs: 1, Instructions: 207COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 018FBE0E

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 4155feb00cad458c5bb11c73099ea67d92d2eb8919d6cc76860fdf628958cbd2
Instruction ID: 10028e9899f05d1a0b14e3732cc52a15baca0537881de1834e31aedeff900221
Opcode Fuzzy Hash: 4155feb00cad458c5bb11c73099ea67d92d2eb8919d6cc76860fdf628958cbd2
Instruction Fuzzy Hash: B6813470A00B058FD724DF6AC45075ABBF5FF88314F00892ED68ADBA50DB35EA058BA1

Uniqueness

Uniqueness Score: -1.00%

Function 018FB1F8, Relevance: 1.6, APIs: 1, Instructions: 128COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 018FDD8A

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 07a5d6fac00ec63f04614c0b638f2aa80f822ab96c465f77090a1023520cd996
Instruction ID: 076a49307717b69613f2d72d67a813452cf29166bf8d15fcf107f058c3d15ba4
Opcode Fuzzy Hash: 07a5d6fac00ec63f04614c0b638f2aa80f822ab96c465f77090a1023520cd996
Instruction Fuzzy Hash: 055103B1D003489FDB15DFA9C880ADEBFB1FF48314F24822AEA19AB251D7759945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 018FDC6D, Relevance: 1.6, APIs: 1, Instructions: 117COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 018FDD8A

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 97c6b67e5ff55b6cd38645ae214c3c4ebe6c1ead2043fc834fb2b6b8796f77e6
Instruction ID: c8e39d37430ac2282c87687c83fc75870a597f3b43d46dcbf3f7176ce2a10165
Opcode Fuzzy Hash: 97c6b67e5ff55b6cd38645ae214c3c4ebe6c1ead2043fc834fb2b6b8796f77e6
Instruction Fuzzy Hash: 2351C1B1D003489FDB14CF99C884ADEBBB5FF48310F24822EEA19AB250D7759985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 018FB214, Relevance: 1.6, APIs: 1, Instructions: 116COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 018FDD8A

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 1e608982f0f8f833f9c56bdd0334c7bd0d1477026ab8512e6db03d4105862c6a
Instruction ID: 8b1b17c6f2a632a2093111f8538a71b2e572d371a07f753a506928d710d2df33
Opcode Fuzzy Hash: 1e608982f0f8f833f9c56bdd0334c7bd0d1477026ab8512e6db03d4105862c6a
Instruction Fuzzy Hash: 3251D2B1D003089FDB14DF99C884ADEBBB5FF48314F24822EE919AB250D7749985CF90

Uniqueness

Uniqueness Score: -1.00%

Function 018F6D49, Relevance: 1.6, APIs: 1, Instructions: 104COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018F6E47

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 585ebc5e40584d36fa012b97445bff1828936ead8d77f196807ca2d6e459ac78
Instruction ID: ed752bd1c5075ff89b8ce60708fcc5901b71c67fa02acb20c6dec9593001123f
Opcode Fuzzy Hash: 585ebc5e40584d36fa012b97445bff1828936ead8d77f196807ca2d6e459ac78
Instruction Fuzzy Hash: F1416C76900258AFCB01DF99D844ADEBFF9EB49320F18801AEA14E7361D7359A54DFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03223BD0, Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 03223C68

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3ec20add25e6c0957dfb12004f839ed118a5181b2b38645addf87ef012165e05
Instruction ID: 06ffde675233759f8b50e4b2995e39860eadbcf26acb0c90ff5fe6d0bb226313
Opcode Fuzzy Hash: 3ec20add25e6c0957dfb12004f839ed118a5181b2b38645addf87ef012165e05
Instruction Fuzzy Hash: 312148B59003599FCB10CFA9C984BDEBBF5FF48314F10842AE918A7240C778A995CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03223BD8, Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 03223C68

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 3e02341b41af9d02baf2bc9be218b13c0d76154b20e1f477a82281bc57012ca1
Instruction ID: d3291a4ef356c946c76f948dd7e131edd8941ce1c17536118342933be26f31b6
Opcode Fuzzy Hash: 3e02341b41af9d02baf2bc9be218b13c0d76154b20e1f477a82281bc57012ca1
Instruction Fuzzy Hash: 672126B59003599FCB10CFA9C984BDEBBF5FF48314F14842AE919A7240D778A955CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 03223A38, Relevance: 1.6, APIs: 1, Instructions: 66threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 03223ABE

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: f9c6041d2b28e656d2d5da5606364bf75bd0c5ffec98bf209002d548c45936f5
Instruction ID: dc0b060e1770c497490ce969b3c512e735f3cd74aafb5df1b6a7814d972db59e
Opcode Fuzzy Hash: f9c6041d2b28e656d2d5da5606364bf75bd0c5ffec98bf209002d548c45936f5
Instruction Fuzzy Hash: 32213D71D103099FDB10CFAAC4857EEBBF4EF48314F158429D919A7640CB78A985CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018F6DB8, Relevance: 1.6, APIs: 1, Instructions: 64COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018F6E47

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 257b6e975b32ed6adb4b9653319871c30c1d8e554b4ac1c24f4a894d6281fa88
Instruction ID: fad71da00c1a70712445c86d530e86a5cf43983c8d25d77fa41a4173f8371a3b
Opcode Fuzzy Hash: 257b6e975b32ed6adb4b9653319871c30c1d8e554b4ac1c24f4a894d6281fa88
Instruction Fuzzy Hash: D121E4B59002489FDB10CFAAD984ADEBBF4FF48324F14851AE918A7311D374AA54CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03223A40, Relevance: 1.6, APIs: 1, Instructions: 63threadinjectionCOMMON

Download Yara Rule

APIs

SetThreadContext.KERNELBASE(?,00000000), ref: 03223ABE

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: ContextThread
String ID:
API String ID: 1591575202-0
Opcode ID: c38a43af57fbcace0647806f576b9a9fe74d52a75a1b0f9358d05dff0c5ec80d
Instruction ID: 491c7bbf9a89b328d173df463b87df005b69e57806772060216926e00a32c464
Opcode Fuzzy Hash: c38a43af57fbcace0647806f576b9a9fe74d52a75a1b0f9358d05dff0c5ec80d
Instruction Fuzzy Hash: 1D213871D002099FCB10CFAAC8847EEBBF4EF48324F15842AD519A7640CB78A985CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03223CC8, Relevance: 1.6, APIs: 1, Instructions: 63COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03223D48

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: 522f0b854541d401db591bf0bf9de675c2d7668939df02686759da32d4134758
Instruction ID: 8dc50b2a002996c1037fe7cde2cab070d111010c3f74929b89f8831d5c916204
Opcode Fuzzy Hash: 522f0b854541d401db591bf0bf9de675c2d7668939df02686759da32d4134758
Instruction Fuzzy Hash: 50212A71D002599FCB10DFAAC880BDEBBF5FF48324F108429E519A7240C7399945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 018F6DC0, Relevance: 1.6, APIs: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 018F6E47

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: 4ea206296b545c2a5d4dee6ddb043c0e66d514ba27ff655a4955f6ee0b2d0286
Instruction ID: f82ea056ab53b447e91ee3e2da7a1792adaf462287fcda4154f6a445286e0420
Opcode Fuzzy Hash: 4ea206296b545c2a5d4dee6ddb043c0e66d514ba27ff655a4955f6ee0b2d0286
Instruction Fuzzy Hash: 3A21D5B5D002489FDB10CFAAD984ADEBBF4FF48324F14851AE918A7310D374A954CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03223B10, Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03223B86

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 6a75267b13ae738ba8ecda082e13f4fb82797723047304105b47a6fbc626a7b5
Instruction ID: 4d2f3ee09d07773161dec035f27581df0b146ad82d4ea71c5e5af1e213e5889b
Opcode Fuzzy Hash: 6a75267b13ae738ba8ecda082e13f4fb82797723047304105b47a6fbc626a7b5
Instruction Fuzzy Hash: 951159719002489BCF10DFAAD844BDFBFF5EF48324F148819E929A7600C779A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03223CEF, Relevance: 1.6, APIs: 1, Instructions: 56COMMON

Download Yara Rule

APIs

ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 03223D48

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: MemoryProcessRead
String ID:
API String ID: 1726664587-0
Opcode ID: f68f8707391aff3422b4bd06202bfafa833f64752d88b727aa187b7daf81c12b
Instruction ID: 9f00f1ab7410484bc99a72d78bfd44c03e03e323110482ef408fa54bdb30b738
Opcode Fuzzy Hash: f68f8707391aff3422b4bd06202bfafa833f64752d88b727aa187b7daf81c12b
Instruction Fuzzy Hash: EB1102769042498FCF00CFA8C8443EEBFF1FF49314F14851ADA69A7251CB388845DB61

Uniqueness

Uniqueness Score: -1.00%

Function 018FB0D8, Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018FBE89,00000800,00000000,00000000), ref: 018FC09A

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 989f4c0475e384197e08952a3c2ef36e6747d6882ce9c4511491953ee7432611
Instruction ID: bedf73bf5bd0d440b19e750e330e20608e6579e51abe4b595792fa6f8c30849f
Opcode Fuzzy Hash: 989f4c0475e384197e08952a3c2ef36e6747d6882ce9c4511491953ee7432611
Instruction Fuzzy Hash: 2A1117B2D002089FDB14CF9AD444BDEFBF4EB89314F00841EE619A7600C375AA45CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 0787E498, Relevance: 1.6, APIs: 1, Instructions: 55memoryCOMMON

Download Yara Rule

APIs

VirtualProtect.KERNELBASE(?,?,?,?), ref: 0787E50B

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID: ProtectVirtual
String ID:
API String ID: 544645111-0
Opcode ID: 4c305f45461c30b26229c0b2002a82e7a1457785b2d7e22b5341857af9e80edd
Instruction ID: 1a2303bc54c86fb877294fa8d0ebdadbb52a5495864d800a41c84eece3acbe51
Opcode Fuzzy Hash: 4c305f45461c30b26229c0b2002a82e7a1457785b2d7e22b5341857af9e80edd
Instruction Fuzzy Hash: E021D6B19006499FCB10CF9AC984BDEBBF4FB48320F508429E569A7240D378AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018FC028, Relevance: 1.6, APIs: 1, Instructions: 54libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,018FBE89,00000800,00000000,00000000), ref: 018FC09A

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 01b53b9d24679dbacc549a5b5e7b1222068ec75ba8a40499f20d995fd1f06148
Instruction ID: 4aa1449452fe1a6af254c49788ff969d2ab5f394b4bf834d2729dc2dc4ee0e4e
Opcode Fuzzy Hash: 01b53b9d24679dbacc549a5b5e7b1222068ec75ba8a40499f20d995fd1f06148
Instruction Fuzzy Hash: 4F1117B6D002099FDB14CF9AC444BDEFBF4EB89324F10851ED619A7600C775AA4ACFA5

Uniqueness

Uniqueness Score: -1.00%

Function 03221310, Relevance: 1.6, APIs: 1, Instructions: 53COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 03221388

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: 68d66674e8f7997cb1c71e8a64277c0ddfd46ed4fff86b350fa86f9f97c0ad4a
Instruction ID: 363abdb505b67951202185ee76c1d4824ee93127f3bee371e22f07210fdfd231
Opcode Fuzzy Hash: 68d66674e8f7997cb1c71e8a64277c0ddfd46ed4fff86b350fa86f9f97c0ad4a
Instruction Fuzzy Hash: 1D1126B5D0065A9BCB10CF9AD944BDEFBF4FF48324F14811AD818A7600D739A995CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03223B18, Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 03223B86

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 525866fbba1e33bd7291f19150d6cc5a8d584778b134afa44d2c5eacfcdebfe2
Instruction ID: d78edb80111bf6e39035bfd6ad4307a2a11cf9b8a46141232b31c29cec5232bf
Opcode Fuzzy Hash: 525866fbba1e33bd7291f19150d6cc5a8d584778b134afa44d2c5eacfcdebfe2
Instruction Fuzzy Hash: DB1137719002499FCF10DFAAC844BDFBBF5EF48324F148819E529A7250C779A955CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 03223988, Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 032239F2

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5614f721578316292798236b10511cf28b5ac8f7b8e6da0d60c4d32af1a7322a
Instruction ID: 3c27b84a3ea59ae2c3e4256a42036caf36a4e458dfa7bbdf40889ec203b53a04
Opcode Fuzzy Hash: 5614f721578316292798236b10511cf28b5ac8f7b8e6da0d60c4d32af1a7322a
Instruction Fuzzy Hash: 67112B71D002488BDB10DFAAD8457EEFBF9AF48324F148419D529A7640CB79A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03221318, Relevance: 1.6, APIs: 1, Instructions: 50COMMON

Download Yara Rule

APIs

OutputDebugStringW.KERNELBASE(00000000), ref: 03221388

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: DebugOutputString
String ID:
API String ID: 1166629820-0
Opcode ID: bf1fd5a720db00a0cd2b0c98e4a15efd83e06652b15265394c22ba1f0056a188
Instruction ID: 0bbcdc5f6461828701044803ab5de2350eb378add8fb3902296d5ccd4d6b1441
Opcode Fuzzy Hash: bf1fd5a720db00a0cd2b0c98e4a15efd83e06652b15265394c22ba1f0056a188
Instruction Fuzzy Hash: C11134B1D0065A9BCB10CF9AD944BDEFBF4FB48320F14811AD818A7600C734A955CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03229349, Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 032293AD

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 90a5d03d5991a3e1d6b20f6a43ce87555b7b8322ea50b74eae7713042e174af7
Instruction ID: f148e3ce6beb53087b6072e2ea9cc832ae26cef8eacf78ea61bb2dd4e79052e4
Opcode Fuzzy Hash: 90a5d03d5991a3e1d6b20f6a43ce87555b7b8322ea50b74eae7713042e174af7
Instruction Fuzzy Hash: 451106B58003599FDB10CF99D885BDEFFF8EB48320F14851AE558A7640C375A984CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03223990, Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE ref: 032239F2

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: e1f5b17903cd25ecd8b9d5bbf096e33417ab2911c1be3888fed04e6794368bda
Instruction ID: 10bb7b349d68c44c37aa0814e41417b249f87b4a01f9be1d0f61f14ab113ca6c
Opcode Fuzzy Hash: e1f5b17903cd25ecd8b9d5bbf096e33417ab2911c1be3888fed04e6794368bda
Instruction Fuzzy Hash: E7113A71D002488BCB10DFAAC8447EEFBF9AF88324F148419D519A7640CB79A945CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 018FBDA8, Relevance: 1.5, APIs: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 018FBE0E

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 97ae371316f789eeb2ceeebb00280e9163f10f99caedc4b6b7b5eb4d05e926b6
Instruction ID: 4f10a54adb561f547bbd27daef302249654211f20fbbb479972de89eaa3c266e
Opcode Fuzzy Hash: 97ae371316f789eeb2ceeebb00280e9163f10f99caedc4b6b7b5eb4d05e926b6
Instruction Fuzzy Hash: 0711F5B5D006498FDB10CF9AC444BDEFBF4EF88324F14851AD529A7600C375A645CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 03228CCC, Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,00000010,00000000,?), ref: 032293AD

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID: MessagePost
String ID:
API String ID: 410705778-0
Opcode ID: 001f2b62b0184d08bb25844504face387932105ba6fe87d34d5e076721bdde57
Instruction ID: 5ccf3d24ce092a0014473628f281e91b39cac5848af80e6c8555a41cfb46ed64
Opcode Fuzzy Hash: 001f2b62b0184d08bb25844504face387932105ba6fe87d34d5e076721bdde57
Instruction Fuzzy Hash: 0A1118B59007599FDB10CF99C884BDEFFF8EB48320F148419E519A7240C375A994CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 018FDEB9, Relevance: 1.5, APIs: 1, Instructions: 46COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 018FDF1D

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: 4768408992b0d7acfd4fcc8b50ca0f4cf0855ac44d98ace1aa69201b02dbd2b8
Instruction ID: 9c0629542c6d67bdd870bd9037bd53f74d68ce38eea4570f3a74b2926f72d5a5
Opcode Fuzzy Hash: 4768408992b0d7acfd4fcc8b50ca0f4cf0855ac44d98ace1aa69201b02dbd2b8
Instruction Fuzzy Hash: CA11E5B59002499FDB10DF99D588BDEFBF8EB48324F14851AEA19A7700C374AA45CFB1

Uniqueness

Uniqueness Score: -1.00%

Function 018FDEC0, Relevance: 1.5, APIs: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 018FDF1D

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID: LongWindow
String ID:
API String ID: 1378638983-0
Opcode ID: dff698ba869621c7bade5499f38fd7a764638021cde0ce82a5dccafe082893fb
Instruction ID: 286d2860115bc0724f3ac74172145b936e3fa933e0ff1cef05c6fb921c775860
Opcode Fuzzy Hash: dff698ba869621c7bade5499f38fd7a764638021cde0ce82a5dccafe082893fb
Instruction Fuzzy Hash: 2411F3B59002499FDB10DF9AD584BDEFBF8EF48324F10851AEA19A7700C374AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 0150D1D4, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243661535.000000000150D000.00000040.00000001.sdmp, Offset: 0150D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1779bebbef93d4429647e4919fb23e7d22f0d6b6be242d988d40e44216e6284
Instruction ID: e30b1bab27c57918bac96c14821a2cf82eadcd75642a16231275d261447bf9ec
Opcode Fuzzy Hash: b1779bebbef93d4429647e4919fb23e7d22f0d6b6be242d988d40e44216e6284
Instruction Fuzzy Hash: AE21F871504241DFDB02DFD4D9C0B2ABBB5FB84324F24C969E8094F286C73AD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0150D01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243661535.000000000150D000.00000040.00000001.sdmp, Offset: 0150D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2f30b565685f53b8ede32e7ce14b9ba536d5af65a4a3f321154be5c9cefb4c65
Instruction ID: d45b84a49bd4392c7e65f06b7313358506f6af24bb25dc3b135eee3ab3b90d70
Opcode Fuzzy Hash: 2f30b565685f53b8ede32e7ce14b9ba536d5af65a4a3f321154be5c9cefb4c65
Instruction Fuzzy Hash: F3212575504240DFDB12CFD8D9D4B2ABBB5FB88354F24C969D80D4F286D33AD846CA61

Uniqueness

Uniqueness Score: -1.00%

Function 0150D006, Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243661535.000000000150D000.00000040.00000001.sdmp, Offset: 0150D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4dec215894561dd258788ee7bac8b000d192208bbe555ecfdb621c259398bbc2
Instruction ID: 6ff4afe7fc38f8236645771f75f941d3aa766a84c4634b93f9fe8316ed823888
Opcode Fuzzy Hash: 4dec215894561dd258788ee7bac8b000d192208bbe555ecfdb621c259398bbc2
Instruction Fuzzy Hash: 5B2192755093808FCB03CFA4D994B15BF71FB46214F28C5EAD8498F697C33A984ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 0150D1CF, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243661535.000000000150D000.00000040.00000001.sdmp, Offset: 0150D000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5423dff634b637993c3977459c8b4a40d2af93c6c522a3032ada7a034eb7421
Instruction ID: e68982c48c529866974f62139f1e38694d83280a02c18f7c08fa3c7e42b2f05a
Opcode Fuzzy Hash: f5423dff634b637993c3977459c8b4a40d2af93c6c522a3032ada7a034eb7421
Instruction Fuzzy Hash: 0C118B75504280DFDB12CF98D6C4B19BBB1FB84224F28C6AAD8494F696C33AD45ACB61

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 07877730, Relevance: 3.9, Strings: 3, Instructions: 171COMMON

Download Yara Rule

Strings

NN]4, xrefs: 07877782
qyQe, xrefs: 0787777F
8_<L, xrefs: 07877866

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID: 8_<L$NN]4$qyQe
API String ID: 0-960344992
Opcode ID: 19d09aed0f0c925d3b4a685925f5cd938eb18f37e3ccbe929242c46138297054
Instruction ID: d053cee94732e6b4f15ba72db0e32a199c1904fe62c64509ce2941ead48f04f6
Opcode Fuzzy Hash: 19d09aed0f0c925d3b4a685925f5cd938eb18f37e3ccbe929242c46138297054
Instruction Fuzzy Hash: F87117B4E1520ADBCB04CF99D581AAEFBB2FB99350F148526D516EB310D730D942CF94

Uniqueness

Uniqueness Score: -1.00%

Function 07877722, Relevance: 3.9, Strings: 3, Instructions: 164COMMON

Download Yara Rule

Strings

NN]4, xrefs: 07877782
qyQe, xrefs: 0787777F
8_<L, xrefs: 07877866

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID: 8_<L$NN]4$qyQe
API String ID: 0-960344992
Opcode ID: 6898216f51be225fbe93d9ff8b8765dcf9bdb07f8cd58b9b1e1343428276c434
Instruction ID: 5201d71ab900a5866f1794cf83559d9fae67f57af906dd3ceaaab5b76eff2ab4
Opcode Fuzzy Hash: 6898216f51be225fbe93d9ff8b8765dcf9bdb07f8cd58b9b1e1343428276c434
Instruction Fuzzy Hash: 246113B4E1520ADBCB04CFA9D581AAEFBB2FB99350F148526D516EB210D734DA42CF90

Uniqueness

Uniqueness Score: -1.00%

Function 032214F8, Relevance: 1.5, Strings: 1, Instructions: 258COMMON

Download Yara Rule

Strings

~SNr, xrefs: 0322164B

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID: ~SNr
API String ID: 0-347073217
Opcode ID: fc55e33b0cc964497d6ce1690033df66c44dfb5f25ed4b0cf278a084fc33df4e
Instruction ID: 7254e551ae3183649e66d3befac18ec354487147d21a914ecd3e68b4f30d4b66
Opcode Fuzzy Hash: fc55e33b0cc964497d6ce1690033df66c44dfb5f25ed4b0cf278a084fc33df4e
Instruction Fuzzy Hash: 93B13774E212199FCB04CFE9C9849DEFBF6BF88350F18856AD405AB314E774A9918F60

Uniqueness

Uniqueness Score: -1.00%

Function 032214E8, Relevance: 1.5, Strings: 1, Instructions: 252COMMON

Download Yara Rule

Strings

~SNr, xrefs: 0322164B

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID: ~SNr
API String ID: 0-347073217
Opcode ID: ee60a8fe74c78cb00e1243847487e1c7bf6725105523204ed8e1e1d4fcb24514
Instruction ID: 302e7edad33b50f77bf5b560be91307376a877f64edef171a624cd3577a3689d
Opcode Fuzzy Hash: ee60a8fe74c78cb00e1243847487e1c7bf6725105523204ed8e1e1d4fcb24514
Instruction Fuzzy Hash: BDA14874E112199FCB04CFE9C9849DEFBF6BF88340F18C56AD405AB354E734A9928B64

Uniqueness

Uniqueness Score: -1.00%

Function 032263E8, Relevance: 1.4, Strings: 1, Instructions: 117COMMON

Download Yara Rule

Strings

aw8, xrefs: 0322646A

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID: aw8
API String ID: 0-2016705302
Opcode ID: b11e82d60fcb2a7437f22fe72eccdfa9f3bb21caad49121b45acd760077a58b5
Instruction ID: 7bb08e5900729740d8173530cb761f69b8db8f8c4abbf118884ac2e879001a13
Opcode Fuzzy Hash: b11e82d60fcb2a7437f22fe72eccdfa9f3bb21caad49121b45acd760077a58b5
Instruction Fuzzy Hash: 6C41ACB5E15219EFCB04CFA9D840AEEFBB2FF88300F14846AC055A7250E7745A41CF65

Uniqueness

Uniqueness Score: -1.00%

Function 032263F8, Relevance: 1.4, Strings: 1, Instructions: 114COMMON

Download Yara Rule

Strings

aw8, xrefs: 0322646A

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID: aw8
API String ID: 0-2016705302
Opcode ID: 2739457ee9156baf6f7e6e3f16b21f9d1e0f691acfc33477daba19632fe1e939
Instruction ID: ccdfe8b7c3db57255f1c70ae53415f0083a115140e5cbe38096fb2be0b5d223d
Opcode Fuzzy Hash: 2739457ee9156baf6f7e6e3f16b21f9d1e0f691acfc33477daba19632fe1e939
Instruction Fuzzy Hash: 37416CB1E1521AEFCB04CFA9D940AEEFBB2FF88300F14946AC055A7254E7B49A41CF55

Uniqueness

Uniqueness Score: -1.00%

Function 00EB79AB, Relevance: 1.2, Instructions: 1158
COMMONCrypto

Download Yara Rule

C-Code - Quality: 91%

			E00EB79AB(signed int __eax, void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi) {
				signed char _t93;
				void* _t298;
				void* _t341;
				intOrPtr* _t361;
				intOrPtr* _t364;
				void* _t377;

				_t377 = __esi;
				_t364 = __edi;
				_t341 = __ecx;
				_t298 = __ebx;
				_push(__eax);
				 *__eax =  *__eax + __eax;
				_t93 = __eax |  *__eax;
				_t361 = __edx +  *__edi;
				 *_t361 =  *_t361 - __ecx;
				 *_t361 =  *_t361 + __ecx;
				 *_t361 =  *_t361 + _t93;
				if( *_t361 >= 0) {
					 *_t93 =  *_t93 + _t93;
				}
				 *((intOrPtr*)(_t93 + 0x6f)) =  *((intOrPtr*)(_t93 + 0x6f)) + _t361;
			}

0x00eb79ab
0x00eb79ab
0x00eb79ab
0x00eb79ab
0x00eb79ab
0x00eb79ac
0x00eb79ae
0x00eb79b0
0x00eb79b2
0x00eb79b5
0x00eb79b7
0x00eb79b9
0x00eb79bb
0x00eb79bb
0x00eb79bc

Memory Dump Source

Source File: 00000000.00000002.243274591.0000000000EB2000.00000002.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.243265501.0000000000EB0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d3df67d3cfcad69157ecdd1e8707f9ab640e4550d7ef97cd4c4c6c53bb8f505
Instruction ID: 27be49ae43ee3bbbc803adeaab403be1ababe276e032739fa1e74328390164e2
Opcode Fuzzy Hash: 6d3df67d3cfcad69157ecdd1e8707f9ab640e4550d7ef97cd4c4c6c53bb8f505
Instruction Fuzzy Hash: C49204A690E7C29FCB131B386DB11E1BFB19D6721871E08C7C4C18E4A3E118199BDB66

Uniqueness

Uniqueness Score: -1.00%

Function 018FC2B0, Relevance: .5, Instructions: 520COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 941e5b0ed9a77877e006adef99d16e2db733189535dc563f8c4c894d75ebe500
Instruction ID: 52e81efedf9f139f46628e7645abd3f9ea22b22b544cbfdaaf2839b056ecd9e5
Opcode Fuzzy Hash: 941e5b0ed9a77877e006adef99d16e2db733189535dc563f8c4c894d75ebe500
Instruction Fuzzy Hash: 9E523BB1600F06CFD710EF14F4CC59A7BB1FB46318B61C609D6A19BA9AD3B4664ACF84

Uniqueness

Uniqueness Score: -1.00%

Function 00EBECCE, Relevance: .5, Instructions: 471COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243274591.0000000000EB2000.00000002.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.243265501.0000000000EB0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2822bb739c6d24987f16ea0e340435450e4f959715f452029d234cdcdde612fb
Instruction ID: 2747a2108a88535d3d6a731e79ca56031786c64c136785a761206af2f5687f64
Opcode Fuzzy Hash: 2822bb739c6d24987f16ea0e340435450e4f959715f452029d234cdcdde612fb
Instruction Fuzzy Hash: 1A02E3728493C18FD7568F34C8AA5D67FB0EE1332832D85EEC4C08E553E22A655BCB91

Uniqueness

Uniqueness Score: -1.00%

Function 00EBC0EF, Relevance: .4, Instructions: 370COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243274591.0000000000EB2000.00000002.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.243265501.0000000000EB0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d0345ea8ad9bae2fd9418689cc04ada3bb71c568074388df8cb9d96f5880263
Instruction ID: ab73b4552bb7a5b8977253ce169c11c1edd42172248ceabd58c6a5781858e80e
Opcode Fuzzy Hash: 5d0345ea8ad9bae2fd9418689cc04ada3bb71c568074388df8cb9d96f5880263
Instruction Fuzzy Hash: 4DE179A248F3C15FC7038B309C6A5C27FB0AE1322471E49EFD4C08E4A3E25D995AD766

Uniqueness

Uniqueness Score: -1.00%

Function 00EB4DCA, Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243274591.0000000000EB2000.00000002.00020000.sdmp, Offset: 00EB0000, based on PE: true

Associated: 00000000.00000002.243265501.0000000000EB0000.00000002.00020000.sdmp Download File

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 51664b243d4809e240624488b07219d4abaa6a012f0a8019a1c5ec9095b803a1
Instruction ID: c1ccdb0f4dc3df9b479740d7aa084f2c07921d5c1ae0b129de27a22703c420e5
Opcode Fuzzy Hash: 51664b243d4809e240624488b07219d4abaa6a012f0a8019a1c5ec9095b803a1
Instruction Fuzzy Hash: 9CF1C25544E3D20FC7138BB44CB4691BFB19E5B214B5E89DFC4C08F4A3E699299AE323

Uniqueness

Uniqueness Score: -1.00%

Function 018F9990, Relevance: .3, Instructions: 265COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.243926566.00000000018F0000.00000040.00000001.sdmp, Offset: 018F0000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 201951dc46dbcf9735b6982755bfbca7b45170638cb43fd394c52097b462e09f
Instruction ID: da838f6737a7bd89970b79e74d3449c2345b0bc398423e57da474192444e206c
Opcode Fuzzy Hash: 201951dc46dbcf9735b6982755bfbca7b45170638cb43fd394c52097b462e09f
Instruction Fuzzy Hash: 10A17336E1061A8FCF05DFA9C8445DDBBB2FF89304B15856AEA05FB221EB31DA45CB40

Uniqueness

Uniqueness Score: -1.00%

Function 03226B18, Relevance: .2, Instructions: 234COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7be4dc30054fe94c9cd1e6e0c7218787a84c5b84ce19f81e03b92acb818912c7
Instruction ID: 3e2874918c2539f67d1a8250f1d9eedff9852a00153fe6ca306555bcc55433c4
Opcode Fuzzy Hash: 7be4dc30054fe94c9cd1e6e0c7218787a84c5b84ce19f81e03b92acb818912c7
Instruction Fuzzy Hash: 1EA114B5E25219EFCB04DFA9D9814EEFFF2EB89300F20902AD415BB218D7749A418F55

Uniqueness

Uniqueness Score: -1.00%

Function 03226B09, Relevance: .2, Instructions: 228COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a264536deccccc5b1708b4560e5d3d9ab60c85824ad43995a21d3f65f437a187
Instruction ID: b316ff4297f40925a1e11b1b503328872a47851468a10a8ff864a1fd87b4475b
Opcode Fuzzy Hash: a264536deccccc5b1708b4560e5d3d9ab60c85824ad43995a21d3f65f437a187
Instruction Fuzzy Hash: 1E9122B5E25219AFCB04DFA9D9814EEFFF2EF89300F20902AD405BB218D7749A418F55

Uniqueness

Uniqueness Score: -1.00%

Function 03221CA0, Relevance: .2, Instructions: 223COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ca69f52f9f5232471b7ce5176c540d9400a717be07ffe41ad668ff5ca49a1ee
Instruction ID: 0c32647a3745bd6c26702f115842f76436dcfc75492ac55783031f2227a89e85
Opcode Fuzzy Hash: 1ca69f52f9f5232471b7ce5176c540d9400a717be07ffe41ad668ff5ca49a1ee
Instruction Fuzzy Hash: 28917170E20219DBDB14CFA9C980AAEFBF6BF89300F24C569D404A7355D770A981CF51

Uniqueness

Uniqueness Score: -1.00%

Function 03221CB0, Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2dbed3bf90ac57e6faa6619ba3578ea7cf77f49f0c693fb7650477c334e30992
Instruction ID: bfb167550c18713d1b171366d58cc1183473d69ddf389e667cf7271b55c2afb5
Opcode Fuzzy Hash: 2dbed3bf90ac57e6faa6619ba3578ea7cf77f49f0c693fb7650477c334e30992
Instruction Fuzzy Hash: CE916070E24229DBDB14CF99D980A9EFBB6FF88344F14C569D408AB345D770A981CF61

Uniqueness

Uniqueness Score: -1.00%

Function 032219D8, Relevance: .2, Instructions: 172COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 830d0b0bae017f29b1a280e63512370cbdb4fcf6f6bed24675a4373601aa0eae
Instruction ID: 3185b69d9403798d4528b08b9707bca00acc97a19a7663a44ab1df821e4e375a
Opcode Fuzzy Hash: 830d0b0bae017f29b1a280e63512370cbdb4fcf6f6bed24675a4373601aa0eae
Instruction Fuzzy Hash: B9615B74E2121A9FCB04CFE9D9859EEFBB6BF88310F14D426D414A7214D774AA918FA0

Uniqueness

Uniqueness Score: -1.00%

Function 032219C7, Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1ee05e4b11eb4a4c7eb13552b55bc45989f460afeb41b77892acecefd87b05ad
Instruction ID: 53a7f393d57f76f82a24b4d0907238a6c43ee2861daf2105672d44d550b05647
Opcode Fuzzy Hash: 1ee05e4b11eb4a4c7eb13552b55bc45989f460afeb41b77892acecefd87b05ad
Instruction Fuzzy Hash: 32617C74E2121A9FCB04CFE9D9859EEFBB6BF88310F14D466D014A7214D774AA91CF90

Uniqueness

Uniqueness Score: -1.00%

Function 03222EF0, Relevance: .1, Instructions: 134COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 855680976f2b6d64d99870fd999fe855995b373b69472930247abe40e7e25b47
Instruction ID: 145d107c1b0bd49a5c33b983a7e82959513f37af2463660bb5f7e1c40225a05c
Opcode Fuzzy Hash: 855680976f2b6d64d99870fd999fe855995b373b69472930247abe40e7e25b47
Instruction Fuzzy Hash: F3511A75E11229DFDB68CF69D880B9EFBF2BB88304F14C5AAD509A7254DB705A80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 03222EDF, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d3dadd9cbb014ab741fef8f226d354594ac467a6be0eae19522ff60734e34fe
Instruction ID: 1f7685c4a20afa3288cc21a3bd67637ffd5a95bfcc25e2ac5d15ab80840f879d
Opcode Fuzzy Hash: 7d3dadd9cbb014ab741fef8f226d354594ac467a6be0eae19522ff60734e34fe
Instruction Fuzzy Hash: 15514B74E152299FDB68CF69D880B9EBBF2BF89300F14C5AAD508E7354DB705A808F51

Uniqueness

Uniqueness Score: -1.00%

Function 0787B1F0, Relevance: .1, Instructions: 128COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75dd9f21deac9f44383c4b5072ba90dbb21d7a6635d65b245410435e58c806cc
Instruction ID: 0fced31cfab95f107d36a5ca9c89945f7e01ea8f6b91517287856a56dbd25101
Opcode Fuzzy Hash: 75dd9f21deac9f44383c4b5072ba90dbb21d7a6635d65b245410435e58c806cc
Instruction Fuzzy Hash: 2D51EBB4E112199FDB14CF9AC88069EFBB7FF89214F14C5AAC409A7215DB309982CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0787B1E2, Relevance: .1, Instructions: 121COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.252232999.0000000007870000.00000040.00000001.sdmp, Offset: 07870000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26f2492421398235c3a7e08f5557649409e88eedea85f88be5f409f453dc6d02
Instruction ID: d1687930d6b5d3c8939adbd982d93ed31722495bdfcec570a50615338e569de3
Opcode Fuzzy Hash: 26f2492421398235c3a7e08f5557649409e88eedea85f88be5f409f453dc6d02
Instruction Fuzzy Hash: F951ECB4E11219CFDB14CF9AC98079EFBB7BF89204F14C5AAC409A7255DB309982CF61

Uniqueness

Uniqueness Score: -1.00%

Function 0322B8C9, Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40bfd3c6c370a4df3e7e3c4e96cf843b1a100039cf39d04890968ba3ffff1fc5
Instruction ID: ebc744e6583f9aedc0e4d5eca678ea3e7458dd0b7bf8fc4dbbfb4151c328338b
Opcode Fuzzy Hash: 40bfd3c6c370a4df3e7e3c4e96cf843b1a100039cf39d04890968ba3ffff1fc5
Instruction Fuzzy Hash: 431151309193A99FCB12CBB5C8547EDBFF0AF0B304F4850AAD451BB292C7784988DB65

Uniqueness

Uniqueness Score: -1.00%

Function 0322B8E0, Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.244018952.0000000003220000.00000040.00000001.sdmp, Offset: 03220000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76f3869a4e357fb6b7af52672d97ca350b8cd354dabff9ec204dc46ca51b7de9
Instruction ID: 706c661cd21c57ddbadf5ea04066479e397ab856794bdd104e09e0d038d94b00
Opcode Fuzzy Hash: 76f3869a4e357fb6b7af52672d97ca350b8cd354dabff9ec204dc46ca51b7de9
Instruction Fuzzy Hash: 12115A30D142699BCB14CFA6C814BEEFFF1AB4D300F189069D411B7290C7784984CF68

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegSvcs.exe PID: 6036 Parent PID: 5596 RegSvcs.exeCOMMON

Executed Functions

Function 02E4F5F8, Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 396COMMON

Download Yara Rule

Strings

M*, xrefs: 02E4F622

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID: M*
API String ID: 0-2586121775
Opcode ID: eb6041c4fe1e0008ad9a4d06b80e00102964490c0a7c36fa7ac346e7c2cf7cdb
Instruction ID: fc300bc082398214ffe2ab78c3c78fc198bc5d27a127d72399c12b68bfc38612
Opcode Fuzzy Hash: eb6041c4fe1e0008ad9a4d06b80e00102964490c0a7c36fa7ac346e7c2cf7cdb
Instruction Fuzzy Hash: 1DF17B30A40209CFDB10DFA9E848BADBBF1BF48708F15C569E405AF761DBB0A945CB40

Uniqueness

Uniqueness Score: -1.00%

Function 02C7B6C0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02C7B730
GetCurrentThread.KERNEL32 ref: 02C7B76D
GetCurrentProcess.KERNEL32 ref: 02C7B7AA
GetCurrentThreadId.KERNEL32 ref: 02C7B803

Strings

M*, xrefs: 02C7B6EC

Memory Dump Source

Source File: 00000004.00000002.476448885.0000000002C70000.00000040.00000001.sdmp, Offset: 02C70000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: M*
API String ID: 2063062207-2586121775
Opcode ID: a458a84e098a998ee07dc8b906ca7acfff83cf8f5690737117efe94b6a4efc95
Instruction ID: 10efc032c0b8ddedc4c6638dd9bd269b678737819fb7b9860f742fc886dc8c85
Opcode Fuzzy Hash: a458a84e098a998ee07dc8b906ca7acfff83cf8f5690737117efe94b6a4efc95
Instruction Fuzzy Hash: 115164B0E006498FDB10CFA9D648BAEBBF0BF49318F20859AE019A7350DB745D44CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02C7B6D0, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 120threadCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32 ref: 02C7B730
GetCurrentThread.KERNEL32 ref: 02C7B76D
GetCurrentProcess.KERNEL32 ref: 02C7B7AA
GetCurrentThreadId.KERNEL32 ref: 02C7B803

Strings

M*, xrefs: 02C7B6EC

Memory Dump Source

Source File: 00000004.00000002.476448885.0000000002C70000.00000040.00000001.sdmp, Offset: 02C70000, based on PE: false

Similarity

API ID: Current$ProcessThread
String ID: M*
API String ID: 2063062207-2586121775
Opcode ID: 6779af19e5faee8f0a40f29cfe55546d8d75e967832ac60c74397d79b49b0422
Instruction ID: bea24d0d823c1d9c8273b5c87159b8f6056f89a5d3c10b4e455519d32591c604
Opcode Fuzzy Hash: 6779af19e5faee8f0a40f29cfe55546d8d75e967832ac60c74397d79b49b0422
Instruction Fuzzy Hash: F35144B4E006498FDB10CFA9D648BAEBBF1BF88318F208559E019A7350DB745D44CF65

Uniqueness

Uniqueness Score: -1.00%

Function 064033E0, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 209COMMON

Download Yara Rule

Strings

M*, xrefs: 064034C6
M*, xrefs: 064034E9

Memory Dump Source

Source File: 00000004.00000002.481757136.0000000006400000.00000040.00000001.sdmp, Offset: 06400000, based on PE: false

Similarity

API ID:
String ID: M*$M*
API String ID: 0-16210055
Opcode ID: 72ce2fc0a7291ac35e2e5f90caf99fc69a53ac1be852871701712ff557889b00
Instruction ID: af1722b0174038198d84f234ce36e7be45bf20eaa85ccb5a7099a980ece9b5bc
Opcode Fuzzy Hash: 72ce2fc0a7291ac35e2e5f90caf99fc69a53ac1be852871701712ff557889b00
Instruction Fuzzy Hash: 56817B71D0022A9FDB12CFA9C8806DEFBB5FF49304F24852AD415AB390DB719946CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02C7FBEC, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 119COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C7FD0A

Strings

M*, xrefs: 02C7FC46
M*, xrefs: 02C7FC26

Memory Dump Source

Source File: 00000004.00000002.476448885.0000000002C70000.00000040.00000001.sdmp, Offset: 02C70000, based on PE: false

Similarity

API ID: CreateWindow
String ID: M*$M*
API String ID: 716092398-16210055
Opcode ID: bfd177ae7e45f82479d5d85312cefd7488b76339ec3161029b31ebecfbf84149
Instruction ID: 286b64f4ce6fe70dd14ff5fe10a9bb1f83bfc36c97864524aa9887a1693943ea
Opcode Fuzzy Hash: bfd177ae7e45f82479d5d85312cefd7488b76339ec3161029b31ebecfbf84149
Instruction Fuzzy Hash: 5051BEB1D00348DFDB15CFA9D884ADEBBB1BF88314F24812EE819AB210D7759985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02C7FBF8, Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 02C7FD0A

Strings

M*, xrefs: 02C7FC46
M*, xrefs: 02C7FC26

Memory Dump Source

Source File: 00000004.00000002.476448885.0000000002C70000.00000040.00000001.sdmp, Offset: 02C70000, based on PE: false

Similarity

API ID: CreateWindow
String ID: M*$M*
API String ID: 716092398-16210055
Opcode ID: 6fad603aeb7e8396d0cf28732968ffc5762c5bc57b9f5fae3cdb0a976696cedf
Instruction ID: 83e28106697590c73ed42039fe6700c6648b4dcabc553e471b960a0b4a822c89
Opcode Fuzzy Hash: 6fad603aeb7e8396d0cf28732968ffc5762c5bc57b9f5fae3cdb0a976696cedf
Instruction Fuzzy Hash: 3C41AFB1D00309DFDB14CFA9D984ADEBBB5BF88314F64812EE819AB210D7749985CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E417E0, Relevance: 4.0, APIs: 1, Strings: 1, Instructions: 517COMMON

Download Yara Rule

Strings

M*, xrefs: 02E417F7

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID:
String ID: M*
API String ID: 0-2586121775
Opcode ID: ad8df8d951978bd72073c2c6feb41cda555922fb602832524b247b8b6ae3fde8
Instruction ID: d7aca3d98d537cc4eff63b204126d54234d97358e6e2eef6bd7481fbec79bf64
Opcode Fuzzy Hash: ad8df8d951978bd72073c2c6feb41cda555922fb602832524b247b8b6ae3fde8
Instruction Fuzzy Hash: 6B228074E80205CFDF14CB98E484AAEBBB2BF89314F14D555EE19AB354CF34A881CB65

Uniqueness

Uniqueness Score: -1.00%

Function 02C793E8, Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02C7962E

Strings

M*, xrefs: 02C795E7

Memory Dump Source

Source File: 00000004.00000002.476448885.0000000002C70000.00000040.00000001.sdmp, Offset: 02C70000, based on PE: false

Similarity

API ID: HandleModule
String ID: M*
API String ID: 4139908857-2586121775
Opcode ID: dc98799f3f1f3db4b5792c538795bdb1e5c658f86fe79cf99d25f8d6feb6b6f5
Instruction ID: 6c0c29c9f4172f28446804e7f6d427143e394754122cf7d7c0a82f3791b13efe
Opcode Fuzzy Hash: dc98799f3f1f3db4b5792c538795bdb1e5c658f86fe79cf99d25f8d6feb6b6f5
Instruction Fuzzy Hash: F5714670A00B058FD764DF2AD44479ABBF1FF88214F008A2DD59ADBA50D735E94ACF91

Uniqueness

Uniqueness Score: -1.00%

Function 02E43474, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 96COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02E446B1

Strings

M*, xrefs: 02E44634

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: Create
String ID: M*
API String ID: 2289755597-2586121775
Opcode ID: 5a53bc21b46ca3e94e9fa59d038649a193ef08649d356235cde53ebffa52a73a
Instruction ID: ebdd0b1a7b99454362bee7e457f199bd3050ee9dd45414df42cecccb0e09fed0
Opcode Fuzzy Hash: 5a53bc21b46ca3e94e9fa59d038649a193ef08649d356235cde53ebffa52a73a
Instruction Fuzzy Hash: 1241E271D0065CCBDB24DFA9D848BDEBBB5BF49308F208069D409AB250DB75694ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E445F4, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 95COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02E446B1

Strings

M*, xrefs: 02E44634

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: Create
String ID: M*
API String ID: 2289755597-2586121775
Opcode ID: 84aea1ed919770a36b2aaaaad909a78d48d8e0014e3c2719b0bb351d50e7b5fe
Instruction ID: c5a9b17ff86395a72432bc76bc01e67dfa9971ac2c06f3712f20e147f100c1ef
Opcode Fuzzy Hash: 84aea1ed919770a36b2aaaaad909a78d48d8e0014e3c2719b0bb351d50e7b5fe
Instruction Fuzzy Hash: 6741E2B1D00658CFDB24DFA9C844BDEBBB5BF49308F208069D409AB251DBB5594ACF90

Uniqueness

Uniqueness Score: -1.00%

Function 02E42470, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

CallWindowProcW.USER32(?,?,?,?,?), ref: 02E42531

Strings

M*, xrefs: 02E42487

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: CallProcWindow
String ID: M*
API String ID: 2714655100-2586121775
Opcode ID: e7b21e8c1eeb8c064cbe05617c8470997c838c1abda2eee4984b78af97a0f36b
Instruction ID: eb8f99cea893d076f30e3ac22d793724cae95ac02d652aa8cf84c00ddea52f84
Opcode Fuzzy Hash: e7b21e8c1eeb8c064cbe05617c8470997c838c1abda2eee4984b78af97a0f36b
Instruction Fuzzy Hash: 394129B4A00205CFDB14CF99D458BAABBF5FF88318F15C459E919AB321D774A841CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E4B889, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 87windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 02E4B957

Strings

M*, xrefs: 02E4B902

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID: M*
API String ID: 3668623891-2586121775
Opcode ID: 203d8826b2853b4916acbcae05e8eaecb690ecd7c2b255979c1023457ab6a8af
Instruction ID: 8f8205ace4f690de9b8d1cfa3518a16ab243146d8fdf5ba371647950cb624754
Opcode Fuzzy Hash: 203d8826b2853b4916acbcae05e8eaecb690ecd7c2b255979c1023457ab6a8af
Instruction Fuzzy Hash: FC31BEB29043889FCB11CFA9D840AEEBFF9EF59314F08805AE954A7211C739D855DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C7BCF9, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 66COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C7BD87

Strings

M*, xrefs: 02C7BD1F

Memory Dump Source

Source File: 00000004.00000002.476448885.0000000002C70000.00000040.00000001.sdmp, Offset: 02C70000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: M*
API String ID: 3793708945-2586121775
Opcode ID: 5b6507505549681250400e9f8a7e8e604532217f4acf563c9e3105933ff58d4b
Instruction ID: d90d31a80263dd270c9424046ceab4fbb22e72c2fdc96926b053b39150b7bcf5
Opcode Fuzzy Hash: 5b6507505549681250400e9f8a7e8e604532217f4acf563c9e3105933ff58d4b
Instruction Fuzzy Hash: 4821B3B5D00249DFDB10CF9AD984ADEFBF5EF48324F14841AE958A7210D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C7BD00, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02C7BD87

Strings

M*, xrefs: 02C7BD1F

Memory Dump Source

Source File: 00000004.00000002.476448885.0000000002C70000.00000040.00000001.sdmp, Offset: 02C70000, based on PE: false

Similarity

API ID: DuplicateHandle
String ID: M*
API String ID: 3793708945-2586121775
Opcode ID: daf3d4eee93c271382825c60a2a5ec1ba6c7f42fd7e55f4fb04044a885fe2c17
Instruction ID: 4495f7aee77f73e940511edca961ee5f8fd8f8977f1e2a2c51bb4e440a0ac56e
Opcode Fuzzy Hash: daf3d4eee93c271382825c60a2a5ec1ba6c7f42fd7e55f4fb04044a885fe2c17
Instruction Fuzzy Hash: ED21C4B59002489FDB10CF9AD984ADEBBF5EB48324F14841AE958A7310D778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C79849, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 56libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02C796A9,00000800,00000000,00000000), ref: 02C798BA

Strings

M*, xrefs: 02C7986F

Memory Dump Source

Source File: 00000004.00000002.476448885.0000000002C70000.00000040.00000001.sdmp, Offset: 02C70000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: M*
API String ID: 1029625771-2586121775
Opcode ID: d67d8dba52e9d196c831955265634ae55c48b5e4a87a055a68a1f9f41e946c53
Instruction ID: 76016d33d3fb37028672cfc0ce9e1746f63fffe5885cf682c59832836b20c76d
Opcode Fuzzy Hash: d67d8dba52e9d196c831955265634ae55c48b5e4a87a055a68a1f9f41e946c53
Instruction Fuzzy Hash: 091114B6D002099FDB10CF9AC444ADEFBF4EF89324F15842AE929A7600C774A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C78768, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 55libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02C796A9,00000800,00000000,00000000), ref: 02C798BA

Strings

M*, xrefs: 02C7986F

Memory Dump Source

Source File: 00000004.00000002.476448885.0000000002C70000.00000040.00000001.sdmp, Offset: 02C70000, based on PE: false

Similarity

API ID: LibraryLoad
String ID: M*
API String ID: 1029625771-2586121775
Opcode ID: 5dccdb12e90212ec8d3c6fee73a68874c98ec9a17e3bb02044db034793312553
Instruction ID: ac389d6fda0015f4b2bf0f7cd9522de6c7758dd47f729efaa0efab00105203da
Opcode Fuzzy Hash: 5dccdb12e90212ec8d3c6fee73a68874c98ec9a17e3bb02044db034793312553
Instruction Fuzzy Hash: A91103B6D002099FDB10CF9AC444ADEFBF4EF88324F14842AE929A7600C774A945CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E4B8E8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 53windowCOMMON

Download Yara Rule

APIs

CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 02E4B957

Strings

M*, xrefs: 02E4B902

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: CreateFromIconResource
String ID: M*
API String ID: 3668623891-2586121775
Opcode ID: 95b709ddc93cb727a83952174039cefc9d78c3338ebbe86f0729559334c5eef4
Instruction ID: 87ddf515a595a974a8737ce6b8e7e5ac68eca34ab273ea2e1d946a7040fdc551
Opcode Fuzzy Hash: 95b709ddc93cb727a83952174039cefc9d78c3338ebbe86f0729559334c5eef4
Instruction Fuzzy Hash: AA1137B29002499FDB10CF99D844BDEBFF8EF48324F14841AE964A7210C734A954DFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E432D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 51windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,013E53E8,00000000,?), ref: 02E4E73D

Strings

M*, xrefs: 02E4E6FA

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: MessagePost
String ID: M*
API String ID: 410705778-2586121775
Opcode ID: 1823483db4e4abc2b3dcaef30c7cfd1a7cb938d8c15cd3564b84fe9756b85dea
Instruction ID: 120221a73085f229567a1a3e8a9cb792c3504ee43b790d7d5399ddc345072891
Opcode Fuzzy Hash: 1823483db4e4abc2b3dcaef30c7cfd1a7cb938d8c15cd3564b84fe9756b85dea
Instruction Fuzzy Hash: 951158B58003099FDB10CF99C445BEEBBF8FB48324F148419E554A3600C778A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E4E6D8, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50windowCOMMON

Download Yara Rule

APIs

PostMessageW.USER32(?,013E53E8,00000000,?), ref: 02E4E73D

Strings

M*, xrefs: 02E4E6FA

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: MessagePost
String ID: M*
API String ID: 410705778-2586121775
Opcode ID: 152a1298a478f76762f31f5c5f766573c1a14dfd10a2402e373fa0ff3baa74e6
Instruction ID: bb06009b052e957bf64a13fa7b5df4fe6f4f535e3ca238c416e3d8bcb42e34fe
Opcode Fuzzy Hash: 152a1298a478f76762f31f5c5f766573c1a14dfd10a2402e373fa0ff3baa74e6
Instruction Fuzzy Hash: D31158B58002499FDB10CFA9C885BEEBBF4FF48324F148419E554A3200C778A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C7FE38, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02C7FE9D

Strings

M*, xrefs: 02C7FE5A

Memory Dump Source

Source File: 00000004.00000002.476448885.0000000002C70000.00000040.00000001.sdmp, Offset: 02C70000, based on PE: false

Similarity

API ID: LongWindow
String ID: M*
API String ID: 1378638983-2586121775
Opcode ID: 7d324fbed8cb0a45ce57894f56134c1928c1473b45433e5e505fe522776535cc
Instruction ID: 1502c67430926a5ee24d04341bf918be1a89e9db249a784bc8f3ed5e36dcdb6a
Opcode Fuzzy Hash: 7d324fbed8cb0a45ce57894f56134c1928c1473b45433e5e505fe522776535cc
Instruction Fuzzy Hash: B61122B5800648CFDB20CF99D584BEEFBF4EB88324F10845AD868B7601C379A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E4D238, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 02E4D29D

Strings

M*, xrefs: 02E4D25A

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: MessageSend
String ID: M*
API String ID: 3850602802-2586121775
Opcode ID: 6aa4589021dd5e755c3b0410168f786f221730bc8cf530bb5a3525dd23104554
Instruction ID: ffbd0717ff8cfef66ae2b06661e2e9979ab0e894688c9d4929a2814340223cc4
Opcode Fuzzy Hash: 6aa4589021dd5e755c3b0410168f786f221730bc8cf530bb5a3525dd23104554
Instruction Fuzzy Hash: 221133B5800249DFDB10CFA9D985BEEBFF4FB58324F14840AE858A7600C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E450D4, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,00000018,00000001,?), ref: 02E4D29D

Strings

M*, xrefs: 02E4D25A

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: MessageSend
String ID: M*
API String ID: 3850602802-2586121775
Opcode ID: e8ff88b234c80eae133ee434586fe9481413aad9a960dbf35915362a32241053
Instruction ID: 6b338c47041df3401a69a2532ce71a2bc6a004b0225a2b9bba464865e2d7ef0f
Opcode Fuzzy Hash: e8ff88b234c80eae133ee434586fe9481413aad9a960dbf35915362a32241053
Instruction Fuzzy Hash: 8D11F2B59002489FDB10CF9AD985BEFBBF8EB48324F10845AE918A7300C774A944CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02E41540, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,02E4226A,?,00000000,?), ref: 02E4C435

Strings

M*, xrefs: 02E4C3F2

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: MessageSend
String ID: M*
API String ID: 3850602802-2586121775
Opcode ID: 1fea7ce99a2af567359afdf015221284dff5324f0ebe87ecbdaafd2eba2d645d
Instruction ID: 964f448b80a0d55e1a49f4d4390d6ebee3c71129e599acb914837161c71a7857
Opcode Fuzzy Hash: 1fea7ce99a2af567359afdf015221284dff5324f0ebe87ecbdaafd2eba2d645d
Instruction Fuzzy Hash: 211103B59007489FDB10CF99D984BEEBBF8EB58324F60845AE958A7700C774A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E4A548, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 02E4BCBD

Strings

M*, xrefs: 02E4BC7A

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: MessageSend
String ID: M*
API String ID: 3850602802-2586121775
Opcode ID: 7d980518f7fc0ffbc346071f05bfc61ce477b92c55536346612151839443422b
Instruction ID: 09d5cca8bd77a84f1071568e77c409fb0d7e46927fe7e4396ac0411a1bca877c
Opcode Fuzzy Hash: 7d980518f7fc0ffbc346071f05bfc61ce477b92c55536346612151839443422b
Instruction Fuzzy Hash: 1211F2B5900748DFDB10CF99D585BEEBBF8EB48324F108419E958A7700C774AA45CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C795C8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 47COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(00000000), ref: 02C7962E

Strings

M*, xrefs: 02C795E7

Memory Dump Source

Source File: 00000004.00000002.476448885.0000000002C70000.00000040.00000001.sdmp, Offset: 02C70000, based on PE: false

Similarity

API ID: HandleModule
String ID: M*
API String ID: 4139908857-2586121775
Opcode ID: 752a1a94f4228fa0f201be4056a6dbdbaf434e813c1b9d545eca562de8e866da
Instruction ID: c13e1264a662ddec6a98af04930eddba4b47226e5e90193ba5930fc6ee7d44cd
Opcode Fuzzy Hash: 752a1a94f4228fa0f201be4056a6dbdbaf434e813c1b9d545eca562de8e866da
Instruction Fuzzy Hash: 7C11F2B6D006498FDB10CF9AC444BDEFBF4EF88324F15851AD829A7600C378A646CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E4C3D0, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(00000000,0000020A,?,00000000,?,?,?,?,02E4226A,?,00000000,?), ref: 02E4C435

Strings

M*, xrefs: 02E4C3F2

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: MessageSend
String ID: M*
API String ID: 3850602802-2586121775
Opcode ID: aba8aad43f01413c0c4dec35c950435fb93afff97c1269dd5791de21053c6302
Instruction ID: 7246b36b827a50eb08d576e6049b7148a1aae6fcd50abb74b38969bcf8fb14a7
Opcode Fuzzy Hash: aba8aad43f01413c0c4dec35c950435fb93afff97c1269dd5791de21053c6302
Instruction Fuzzy Hash: B51145B58002488FDB10CFA9D985BEEFFF4EF48324F60840AE859A7600C375A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E4DC60, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 02E4F435

Strings

M*, xrefs: 02E4F3FA

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: Initialize
String ID: M*
API String ID: 2538663250-2586121775
Opcode ID: 5754c17dc7b81976276178b403f9173f24bd1374d37f89893aefac6bb3e979ef
Instruction ID: 787bd5bd6bbcfcb824d3fb5eabd559e87dc5c6879bcae03df327e38c43b3c79d
Opcode Fuzzy Hash: 5754c17dc7b81976276178b403f9173f24bd1374d37f89893aefac6bb3e979ef
Instruction Fuzzy Hash: 451115B19046488FCB10DF9AD448BDEBBF4EF48324F14845AD559A7B00CB78A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E4BC59, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 46windowCOMMON

Download Yara Rule

APIs

SendMessageW.USER32(?,?,?,?,?,?,?,?,?,00000000), ref: 02E4BCBD

Strings

M*, xrefs: 02E4BC7A

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: MessageSend
String ID: M*
API String ID: 3850602802-2586121775
Opcode ID: 4a5352aba8484b2efde6179ef970525ed7786c95d374b19d00622dde00eca19e
Instruction ID: b6400b99e793dcbd33ec097c44232c3912ecfa4cb35bbc0ac02cf2b7d92ab424
Opcode Fuzzy Hash: 4a5352aba8484b2efde6179ef970525ed7786c95d374b19d00622dde00eca19e
Instruction Fuzzy Hash: 7811F2B5800749DFDB10CF99D585BDEFBF8EB48324F14841AE858A7600C774AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E4F3D8, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45comCOMMON

Download Yara Rule

APIs

OleInitialize.OLE32(00000000), ref: 02E4F435

Strings

M*, xrefs: 02E4F3FA

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: Initialize
String ID: M*
API String ID: 2538663250-2586121775
Opcode ID: 2082c1a6c82c2b8cc135e1a93eead686c806ad16e41906487a047d3d5671b54c
Instruction ID: 7f79f932868b4c7c3af78827ef3af323d573516ca63e189e52468857a89e5eaa
Opcode Fuzzy Hash: 2082c1a6c82c2b8cc135e1a93eead686c806ad16e41906487a047d3d5671b54c
Instruction Fuzzy Hash: 9D1145B1900248CFCB20CFA9D484BDEBFF4EF48324F148459D558A7600CB34A945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02C7FE40, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44COMMON

Download Yara Rule

APIs

SetWindowLongW.USER32(?,?,?), ref: 02C7FE9D

Strings

M*, xrefs: 02C7FE5A

Memory Dump Source

Source File: 00000004.00000002.476448885.0000000002C70000.00000040.00000001.sdmp, Offset: 02C70000, based on PE: false

Similarity

API ID: LongWindow
String ID: M*
API String ID: 1378638983-2586121775
Opcode ID: 1b45c2c2afcf47bb2f0bf738933517b5e7b54bd48a03794ba619f4c4a72ffb84
Instruction ID: ba197da569003753699f75187f63c0fa5abfc5502f934120165ae7ec48eb7ba6
Opcode Fuzzy Hash: 1b45c2c2afcf47bb2f0bf738933517b5e7b54bd48a03794ba619f4c4a72ffb84
Instruction Fuzzy Hash: 651115B59002488FDB10CF99D584BDFFBF8EB48324F10841AD828A7740C374A944CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 012CD4A0, Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.475463548.00000000012CD000.00000040.00000001.sdmp, Offset: 012CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d23931bbe8597fbdde577eee97b1bb292432292761bf76ec5ac31fda93050be9
Instruction ID: 1e10eba431d21e7185e1a759c11f21c40b0b91fbfe072500755bd4c70884be87
Opcode Fuzzy Hash: d23931bbe8597fbdde577eee97b1bb292432292761bf76ec5ac31fda93050be9
Instruction Fuzzy Hash: 22212471514248DFDB11CF88E9C0B67BB65FB98768F24867DEA090A246C336D845CAE1

Uniqueness

Uniqueness Score: -1.00%

Function 012DD01C, Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.475575029.00000000012DD000.00000040.00000001.sdmp, Offset: 012DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0cbd877c27b94f53cf8b035ec875359c26cfe645d627b4907e422b4e00843c5c
Instruction ID: 5df2173e93ebb9df2b990f0639726cacfa08b33e793f6115b84285c21fd5a833
Opcode Fuzzy Hash: 0cbd877c27b94f53cf8b035ec875359c26cfe645d627b4907e422b4e00843c5c
Instruction Fuzzy Hash: 38216471118648DFCB11CFA8D8C0B26BB65FBC8355F24C969E90A4B386C33AD847CA61

Uniqueness

Uniqueness Score: -1.00%

Function 012DD006, Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.475575029.00000000012DD000.00000040.00000001.sdmp, Offset: 012DD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 09209e4866bd43ce92d998e194e34813ef5a106f6f08dbdf03d21682f663faed
Instruction ID: e2be1dcfbc1090a6431e184cbabd765f57103719757484d5dcca5bf69b73e8c1
Opcode Fuzzy Hash: 09209e4866bd43ce92d998e194e34813ef5a106f6f08dbdf03d21682f663faed
Instruction Fuzzy Hash: B121F3754087848FCB03CF24C990B15BF71EB86314F28C5EAC8488B697C33AD84ACB62

Uniqueness

Uniqueness Score: -1.00%

Function 012CD49B, Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.475463548.00000000012CD000.00000040.00000001.sdmp, Offset: 012CD000, based on PE: false

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction ID: 014855312f1ad56c1c8c72037fdf73bb7172d96fc6e34188766aa44ed7f1b96e
Opcode Fuzzy Hash: 2afa457568e0bb640a5e96658e9777ab49a47e984ab559958fa4953148591eca
Instruction Fuzzy Hash: A111E172404284CFCB12CF44D5C4B16BF71FB84324F2482ADDA050B256C336D45ACBA2

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02E4E190, Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 217threadCOMMON

Download Yara Rule

APIs

GetCurrentThreadId.KERNEL32 ref: 02E4E289

Strings

M*, xrefs: 02E4E4FF
M*, xrefs: 02E4E1BA

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: CurrentThread
String ID: M*$M*
API String ID: 2882836952-16210055
Opcode ID: bf9636f0cc04bddaa4c1f8e6d3fae97b92082f210a54c040dbfb72e548919a77
Instruction ID: 992078879da52adc20b7e49e6a704eb81f1d559f0cf3bee85148d7d8cb7e81f2
Opcode Fuzzy Hash: bf9636f0cc04bddaa4c1f8e6d3fae97b92082f210a54c040dbfb72e548919a77
Instruction Fuzzy Hash: CC818C70E002488FCB11DFA9D454BEEBBF5BF49308F18846AE819AB350DB749945CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E4B990, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 62COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32(00000031), ref: 02E4B9EE
GetSystemMetrics.USER32(00000032), ref: 02E4BA28

Strings

M*, xrefs: 02E4B9B7

Memory Dump Source

Source File: 00000004.00000002.476769299.0000000002E40000.00000040.00000001.sdmp, Offset: 02E40000, based on PE: false

Similarity

API ID: MetricsSystem
String ID: M*
API String ID: 4116985748-2586121775
Opcode ID: 9e9e8af14d73e315d0962b2198f82a45e283b384e3f0d076cc6dc1d72c9fba2c
Instruction ID: c9c4e93fca6c354a6e0de6786015cf378f98b484cdeffb1b717320dc2eae30b9
Opcode Fuzzy Hash: 9e9e8af14d73e315d0962b2198f82a45e283b384e3f0d076cc6dc1d72c9fba2c
Instruction Fuzzy Hash: B22143B1D003488FDB10CF99D449BEEBFF4AB08319F14845AD458A7340C7B8AA85CFA2

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically requires being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port paring that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may use legitimate desktop support and remote access software, such as Team Viewer, Go2Assist, LogMein, AmmyyAdmin, etc, to establish an interactive command and control channel to target systems within networks. These services are commonly used as legitimate technical support software, and may be allowed by application control within a target environment. Remote access tools like VNC, Ammyy, and Teamviewer are used frequently when compared with other legitimate software commonly used by adversaries.
Tactics:	Command and Control
Data Sources:	Network intrusion detection system, Network protocol analysis, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report URGENTPURCHASEORDER.pdf.exe

Overview

General Information

Detection

Signatures

Classification

Startup

Malware Configuration

Threatname: NanoCore

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Signature Overview

AV Detection:

Compliance:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Version Infos

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets